ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Public Google Drive

v1.0.0

Create public Google Docs or Google Sheet files without requiring OAuth. Use this skill to create and edit Google Docs and Sheets, no Google sign-in required...

0· 263·1 current·1 all-time
by@memyard
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to create 'Google Docs/Sheets' without OAuth, but all runtime instructions target a third‑party API (api.memyard.com) and host shareable links at app.memyard.com. Requiring no OAuth is coherent only because the service issues its own agent_key — the skill name is misleading and could cause users to think this integrates with Google when it does not.
!
Instruction Scope
At first use the SKILL.md instructs the agent to register automatically with the remote service and to persist an agent_key and agent_id to ~/.memyard/agent_config.json. The agent is expected to send user content to the remote API (plan/execute endpoints). Automatic registration and automatic transmission of content to an external service are scope-creep and a privacy/consent concern.
Install Mechanism
This is an instruction-only skill with no install steps or downloaded code, which minimizes install-time risk. There are no binaries or archive downloads.
!
Credentials
The skill requests no environment variables, but it instructs creating and storing a secret (agent_key) in the user's home directory. Persisting a bearer token for an external service without an explicit upfront credential request or explicit user consent is disproportionate and increases the risk of unwanted data exfiltration.
!
Persistence & Privilege
Although not granted 'always' privilege, the skill directs the agent to create persistent credentials in ~/.memyard/ and to use them for future calls. Combined with normal autonomous invocation, this gives the remote service an ongoing token tied to the user account on disk — a lasting capability the user may not expect.
What to consider before installing
This skill talks like it creates 'Google' docs but actually registers an agent with a third‑party service (Memyard) and will automatically create and store a bearer token at ~/.memyard/agent_config.json on first use. Before installing, decide whether you trust the remote service to receive the content you will create/edit. Ask the publisher how documents are actually stored and shared, whether the base_url can be changed, and why automatic registration/persistence is required. If you proceed, consider disabling autonomous invocation for the agent, inspect network calls (or run the skill in a sandboxed environment), and review or manually create the agent credentials instead of allowing automatic registration so you retain explicit consent and control over the token.

Like a lobster shell, security has layers — review code before you run it.

latestvk977fd9m2r5yaewp02s0dc0g1d82j6we

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments