Envato Comment → Task → Google Sheet
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A hostile comment could cause an inaccurate or malformed task row if the output is trusted automatically.
The skill inserts external marketplace comment text into the model prompt. A malicious or confusing comment could try to influence the generated JSON, though the skill is output-only and the rules follow the comment.
Comment:
{{comment_text}}
Rules:Treat comment text as untrusted data, validate the JSON before appending it to a sheet, and consider adding an explicit instruction to ignore commands or instructions inside the comment.
Product information and comment text may be stored in Google Sheets or exposed to anyone who can access the webhook or sheet.
The workflow expects data to be sent to a Google Apps Script webhook. This is disclosed and purpose-aligned, but the endpoint and access controls are left to the user.
Send skill JSON output via POST request to Apps Script endpoint.
Use only a Google Apps Script endpoint you control, restrict access where possible, and avoid sending sensitive customer information unless needed.