ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Sheet matan

v1.0.1

Interact with Google Sheets via the Maton API Gateway — read, write, append, and clear spreadsheet data using curl. Use this skill whenever the user mentions...

0· 61·0 current·0 all-time
byOtman Heddouch@otman-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description and the SKILL.md consistently describe using the Maton API Gateway to operate on Google Sheets (read/write/append/format/etc.), which is appropriate for the stated purpose. However, the registry metadata declares no required environment variables or primary credential, while the runtime instructions explicitly require a MATON_API_KEY. That mismatch is an incoherence between claimed requirements and actual runtime needs.
Instruction Scope
The SKILL.md is instruction-only and confines actions to calling gateway.maton.ai Google Sheets endpoints via curl with an API key. It does not instruct reading arbitrary local files, other environment variables, or sending data to unrelated endpoints. It does instruct setting an environment variable (export MATON_API_KEY).
Install Mechanism
No install spec or code files are present (instruction-only), so nothing is written to disk or downloaded during install — lowest install risk.
!
Credentials
The only secret the instructions need is MATON_API_KEY, which is proportional for a gateway-based API. The concern is the skill metadata does not declare this required env var or a primary credential, so automated permission checks or the user reviewing required secrets may miss it. MATON_API_KEY is sensitive; the skill asks users to put it in the environment, which is normal but should be declared and minimized to least privilege.
Persistence & Privilege
The skill is not always-enabled and does not request system config paths or modify other skills. It runs as an invocation-only instruction set, so it does not request elevated persistence or privileges.
What to consider before installing
This skill's functionality (using Maton gateway to call Google Sheets APIs) is coherent, but the manifest failing to list MATON_API_KEY is a red flag — the instructions do require that secret even though the registry metadata does not. Before installing: (1) ask the publisher to update the skill metadata to declare MATON_API_KEY as a required/primary credential; (2) verify the trustworthiness and privacy policy of gateway.maton.ai (your spreadsheet contents and cell data will transit that third party); (3) limit the API key's permissions and scope, use a key that can be revoked/rotated, and avoid placing long-lived secrets in shared environments; (4) test with non-sensitive spreadsheets first. If you cannot confirm the gateway operator and metadata, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97drc8sq6x21v9p53hnpeky2s84933v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments