1
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using this token may be able to access or modify MaybeAI spreadsheet documents allowed by that token.
The skill requires a bearer token for the MaybeAI API, which gives the agent delegated access to the user's MaybeAI spreadsheet operations.
requires:
env:
- MAYBEAI_API_TOKEN
...
Authorization: Bearer <MAYBEAI_API_TOKEN>Use a revocable, least-privilege token if MaybeAI supports it, keep it out of logs and chat history, and rotate it if exposed.
Spreadsheet contents may leave the local machine and be stored or processed by MaybeAI.
Spreadsheet files are uploaded to the disclosed MaybeAI backend. This is expected for the skill, but it is a sensitive external data flow.
BASE_URL="https://play-be.omnimcp.ai" ... curl -s -X POST "$BASE_URL/api/v1/excel/upload" \ -F "file=@./sample.xlsx"
Upload only files intended for MaybeAI processing, review MaybeAI's privacy/retention terms for sensitive spreadsheets, and treat document IDs and exported files as sensitive.
A mistaken command or unreviewed script run could modify or delete spreadsheet content in the user's MaybeAI account.
The skill intentionally exposes spreadsheet mutation and deletion endpoints. They fit the stated lifecycle-management purpose, but wrong document IDs, ranges, or sheets could cause data loss.
"Delete rows 3–5" | `POST /api/v1/excel/delete_rows` ... "Delete File" | `POST /api/v1/excel/delete_file`
Confirm the target document, worksheet, and range before destructive edits, keep backups or versions, and avoid running full example scripts on important files without reviewing each API call.
Users may need local tooling before running the scripts, and package installation should be done carefully.
The skill's examples depend on local command-line tools and package-manager installation. This is normal for curl-based API examples, but users should install dependencies from trusted sources.
> **Requires**: `curl` and `jq`. Install jq with `brew install jq` (macOS) or `apt install jq` (Linux).
Install curl/jq from trusted system package managers and review shell scripts before running them.