Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Google Sheets via gog
v1.1.0Use this skill when you need to create, inspect, update, append to, or reorganize Google Sheets from a locally installed `gog` CLI. It is for local Google ac...
⭐ 0· 101·0 current·0 all-time
byIvan Kochergin@kvarts
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description, required binary (gog), and Homebrew install align with operating Google Sheets via a local CLI. However, the skill requires OpenClaw config paths for login and password (skills.entries.gogSheets.config.login and .password) even though SKILL.md explains operations use local gog OAuth; that config gating is disproportionate to the stated purpose and is unexplained.
Instruction Scope
SKILL.md confines actions to running gog CLI commands, managing local OAuth client JSON, and setting GOG_ACCOUNT — all appropriate for the stated purpose. It explicitly warns about confirmations for destructive ops. The only scope concern is the gate that forces config.login/config.password to be present to load the skill (the instructions do not use those values), which could lead to storing secrets in config despite guidance to avoid that.
Install Mechanism
The install spec is a Homebrew formula (gogcli) that creates a gog binary. This is a standard, low-risk install mechanism; no arbitrary downloads or extraction from unknown hosts are used.
Credentials
The skill does not require external API keys beyond local gog OAuth, which is appropriate, but demanding a login and password config entry (named in required config paths) is disproportionate and potentially risky. That pairing looks like unnecessary credential gating and may encourage placing secrets in OpenClaw config even though the runtime uses the local gog OAuth client JSON instead.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges or modify other skills. It is instruction-only (no code files) so it does not install persistent code beyond the Homebrew binary. Autonomous invocation is allowed by default, which is normal; there is no 'always: true' or other elevated persistence.
What to consider before installing
This skill appears to do what it says (drive the local gog CLI against Google Sheets), but it has one odd and potentially risky requirement: OpenClaw will only load the skill if you set skills.entries.gogSheets.config.login and .password. That requirement is not used by the documented gog workflow and could encourage storing a password in your OpenClaw config. Before installing:
- Avoid putting real passwords or long-lived secrets into OpenClaw config; prefer environment variables or the recommended local gog OAuth flow.
- Verify the Homebrew 'gogcli' formula comes from the upstream repository (https://github.com/steipete/gogcli) and inspect the formula if you care about supply-chain risk.
- Confirm you are comfortable running a local CLI that uses a Google OAuth client JSON (you must manage the OAuth credentials and enable the Sheets API in your GCP project).
- If you do not want the skill to be autonomously invoked, restrict agent permissions or avoid enabling the skill; autonomous invocation is allowed by default but not in itself an additional red flag here.
If the presence of the login/password gating is unexplained in your environment, ask the skill author or maintainers why those config keys are required and consider removing or setting them to non-sensitive placeholders before enabling the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97dmyxtmtng79v8e1eyakxjr9838mwt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binsgog
Configskills.entries.gogSheets.config.login, skills.entries.gogSheets.config.password
Install
Install gog (Homebrew)
Bins: gog
brew install gogcli