ClawHub
Back to skill

Security audit

Spreadsheet Automation

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only spreadsheet automation guide with powerful examples that users should test carefully before applying to real sheets or accounts.

Safe to install as a guide. Before copying any Apps Script into a real Google account, test with dummy sheets, verify recipients and API endpoints, keep tokens scoped and out of shared spreadsheets, back up data before clear/delete operations, and use manual review or sandbox accounts before enabling scheduled publishing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section includes examples that send emails, fetch external API data, and delete rows from sheets, but it does not prominently warn users about privacy exposure, unintended outbound transmission, or irreversible data loss. In a skill that encourages copy/paste of Apps Script, omission of safety guidance materially increases the chance that a user deploys automations affecting real data without understanding the consequences.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The auto-publishing example is capable of posting content automatically to external platforms once scheduled conditions are met, yet it lacks a clear warning that live posts will be sent without manual review at execution time. That creates a realistic risk of accidental publication, reputational harm, and misuse if users paste in real tokens and enable triggers.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.