ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Multi-API Data Pipeline to Google Sheets

Connects multiple REST APIs, fetches and transforms data, and pushes it to a live Google Sheets dashboard that auto-updates on a schedule.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 61 · 0 current installs · 0 all-time installs
by@neo1307
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a pipeline that legitimately needs Google service account credentials and multiple API keys, but the registry metadata lists no required environment variables or primary credential — this mismatch is an incoherence between what the skill claims to need and what the registry declares.
!
Instruction Scope
Runtime instructions require pasting a full GOOGLE_SERVICE_ACCOUNT_JSON into the secrets manager, adding many per-service API secrets, scheduling periodic runs, and writing logs to local paths (logs/pipeline_YYYY-MM-DD.txt) and buffering data locally on Google Sheets write failures. These actions are consistent with a data pipeline but expand scope to persistent local storage and long‑lived secrets handling; the SKILL.md does not describe how scheduling/run context is managed or how logs are protected.
Install Mechanism
No install spec or code files are provided (instruction-only), so there is no installer downloading or executing third-party code. That lowers supply-chain risk, but it does mean the agent itself will perform network calls and file writes at runtime.
!
Credentials
The skill asks for a full Google service account JSON and multiple API keys (one per connected service). Those credentials are functionally necessary for the described feature, but they are high‑privilege (service account keys can grant broad Google Cloud access if not scoped), and the registry metadata does not declare them — this omission prevents automated permission review and increases risk. The unspecified pattern [SERVICE]_API_KEY could result in many secrets being requested without clear limits.
Persistence & Privilege
The skill is not marked 'always:true' and allows autonomous invocation (platform default). Autonomous periodic runs plus access to multiple secrets increases blast radius if misused, but the skill does not request system-level persistence or modify other skills' configs. The SKILL.md's expectation of scheduling should be clarified (who/what schedules runs).
What to consider before installing
This skill appears to be what it says (a multi-API → Google Sheets pipeline) but has important red flags: the registry metadata omits the sensitive env vars the instructions require, and the SKILL.md asks you to store and use a full Google service account JSON plus multiple API keys. Before installing: 1) ask the publisher for source code or a runbook so you can verify how credentials are used; 2) use a dedicated, minimally‑privileged service account (restrict IAM roles and scopes) and test with a non-production sheet; 3) avoid reusing high‑privilege keys and rotate them after testing; 4) confirm where logs are stored and who can read them; 5) clarify how scheduling/periodic runs are performed by the platform; and 6) prefer OAuth or limited tokens where possible. If the publisher can’t provide code or clear answers, treat the skill as higher risk and don’t add production secrets.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk975k0vyn50pjy8e2a245cca7x837wb4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Multi-API Data Pipeline to Google Sheets

Overview

Automated data pipeline that pulls from multiple REST APIs, transforms and merges the data, and pushes it to a Google Sheets dashboard that updates automatically on your chosen schedule (every 15 minutes, hourly, daily). Replaces hours of manual copy-paste work.

What It Does

  • Connects to up to 10 REST APIs simultaneously
  • Handles authentication: API keys, Bearer tokens, OAuth2
  • Transforms and merges data across sources
  • Pushes clean, formatted data to Google Sheets in real time
  • Sends alert if any API call fails
  • Logs all pipeline runs with success/failure status

Required Environment Variables

Set these in OpenClaw's Secrets manager before running:

VariableDescription
GOOGLE_SERVICE_ACCOUNT_JSONGoogle Service Account key (full JSON string)
TARGET_SHEET_IDGoogle Sheets document ID (from the sheet URL)
[SERVICE]_API_KEYOne secret per connected API, e.g. SHOPIFY_API_KEY, HUBSPOT_TOKEN

Setup

  1. Create a Google Service Account, download the JSON key, paste it as GOOGLE_SERVICE_ACCOUNT_JSON
  2. Share your target Google Sheet with the service account email
  3. Set TARGET_SHEET_ID from the sheet URL
  4. Add one secret per API you want to connect
  5. Set update schedule: every 15 minutes / hourly / daily at 06:00

Usage

"Connect Shopify and HubSpot APIs and sync sales data to my Google Sheet every hour" "Pull weather data and stock prices into a live dashboard" "Set up a pipeline from our internal API to Google Sheets, update every 15 minutes" "Add Stripe revenue data to the existing pipeline"

Output

  • Live Google Sheets dashboard with latest data
  • Pipeline run log: logs/pipeline_YYYY-MM-DD.txt
  • Alert on failure with error details

Rules

  • Never store raw API credentials in output files or logs
  • Always validate API response schema before writing to Sheets
  • If Google Sheets write fails, buffer data locally and retry up to 3 times
  • Respect API rate limits — add delays per API documentation
  • Each pipeline run must write a summary row to a _run_log tab in the Sheet

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…