ClawHub
Back to skill

Security audit

Maybeai Sheet Cli Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real MaybeAI spreadsheet helper, but it gives agents broad API, sharing, deletion, export, and LLM-profiling paths without tight scoping or clear safety prompts.

Review before installing. Use this only with a MaybeAI token whose access you are comfortable giving to an agent. Require explicit user confirmation before raw API calls, public sharing, editor grants, file or worksheet deletion, clearing ranges, exports, or workbook profiling that may send sample spreadsheet rows to an LLM.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Tp4

High
Category
MCP Tool Poisoning
Confidence
99% confidence
Finding
This is a clear mismatch because the declared purpose describes a general-purpose MaybeAI spreadsheet operations skill, but the actual code only builds a static sample .xlsx file on disk. It does not interact with MaybeAI workbooks, document IDs, worksheet gids, a spreadsheet CLI, remote services, or SQL-over-sheet functionality. The primary purpose of the code is materially different from the declared description.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documented raw escape hatch explicitly enables access to endpoints beyond the sheet-oriented command set, including workbook profiling, lineage tracing, SQL compilation, charts, formatting, file search/export, and sharing. That broadens the skill's effective authority beyond its stated scope and creates a privilege-expansion path where an agent can invoke sensitive backend capabilities without higher-level safety checks or allowlisting.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The reference states that the raw path can reach sharing and file search/export features even though the skill is presented as a spreadsheet-operation tool. Those capabilities can expose or exfiltrate data, alter access controls, or retrieve unrelated files, making the skill materially more dangerous than its declared purpose suggests.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The plan explicitly adds a generic `api`/`raw` escape hatch beyond the spreadsheet-focused command set, which expands the skill from a scoped data tool into a general backend invoker. In an agent context, that broader capability weakens least-privilege assumptions and can enable unintended access to non-spreadsheet endpoints if exposed through the published CLI.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
`maybeai-sheet raw post /api/...` is a direct arbitrary API invocation primitive, which is not justified by the stated spreadsheet CLI scope. In agent or automation usage, this can be abused to reach sensitive or destructive backend functionality using the CLI's authentication context, effectively turning a narrow tool into a general-purpose API tunnel.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This reference materially expands the skill from spreadsheet data operations into access-control administration, including making sheets public, granting editor rights, and listing shares. That scope mismatch is dangerous because an agent selected for routine sheet manipulation could be induced to perform privacy- and authorization-sensitive actions the user did not expect from the manifest description, increasing the risk of unauthorized disclosure or modification.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The documentation includes destructive operations such as write-range, clear-range, append, upsert, worksheet creation, and formula updates without an explicit warning that these commands modify workbook data. In an agent setting, absence of modification-risk guidance increases the chance of accidental destructive actions, especially when commands include verification of success but not confirmation of intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The raw POST escape hatch allows arbitrary requests to backend spreadsheet APIs but provides no warning about privacy, authorization, or system-impact risks. In an agent workflow, this can bypass safer first-class command boundaries and enable unintended access, bulk data extraction, metadata inspection, or other sensitive side effects through crafted request bodies.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The raw API escape hatch is presented without any warning that it may invoke unsafe, state-changing, or out-of-scope backend operations. In the context of an agent skill, undocumented destructive potential increases misuse risk because operators may assume all commands are spreadsheet-safe when this one can bypass normal guardrails.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly lists rename, delete, and copy operations, including a delete endpoint, but provides no warning, confirmation guidance, or guardrails around destructive actions. In an agent skill that may be used to automate spreadsheet operations, omission of deletion safety practices increases the chance of accidental or unauthorized data loss, especially if an upstream prompt is ambiguous or malicious.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The sharing section documents visibility changes and permission updates without any privacy, least-privilege, or authorization warnings. In the context of a spreadsheet-management skill, this can enable accidental public exposure or overbroad sharing of sensitive workbook data if an agent follows instructions mechanically or is manipulated by a prompt.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation instructs how to make a sheet public or grant access without an explicit warning that these actions can expose private data or allow others to modify content. In an agent setting, omission of that warning makes accidental oversharing more likely, especially for ambiguous requests like 'make it public' or 'share it' where the privacy consequences may be significant.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation includes worksheet deletion guidance but only warns to confirm the gid or sheet name, not to obtain explicit user confirmation or warn about irreversible data loss. In an agent-operated spreadsheet tool, this increases the chance of unintended destructive actions, especially when worksheet targeting can default unexpectedly or be misidentified.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly states that non-empty worksheet sample rows are sent to an LLM and also returned to the caller, but it does not warn users that potentially sensitive workbook contents may leave the core spreadsheet service boundary for model processing. In a spreadsheet context, sample rows can easily contain PII, financial data, or confidential business records, so silent transmission to an LLM creates a real privacy and data-governance risk.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal