ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

French Learning

v1.0.0

French vocab automation. Formats Excel vocab to Google Sheet, generates ElevenLabs audio, uploads to Drive. Triggers: process french vocab, generate audio, F...

0· 92·0 current·0 all-time
by@clairproqc-star

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for clairproqc-star/french-learning.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "French Learning" (clairproqc-star/french-learning) from ClawHub.
Skill page: https://clawhub.ai/clairproqc-star/french-learning
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: GEMINI_API_KEY, ELEVENLABS_API_KEY
Required binaries: sag, gog, gemini
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install french-learning

ClawHub CLI

Package manager switcher

npx clawhub@latest install french-learning
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binaries (gog, gemini, sag) and required env vars (GEMINI_API_KEY, ELEVENLABS_API_KEY) align with the code: scripts read Google Sheets via 'gog', call Gemini for translations, use 'sag' to generate ElevenLabs audio, and upload to Drive. The files implement the described functionality.
Instruction Scope
Runtime instructions and scripts stay within the declared feature set (read source sheet, call Gemini, update target sheet, generate audio with sag, upload to Drive). However, scripts read/write /tmp files and one script (scripts/fix_update.py) constructs and runs a shell command with shell=True that injects the file contents via $(cat ...). If an attacker or another process can control that temp file, this could lead to command injection. Also the skill will upload generated audio into a Google Drive folder (requires Drive access).
Install Mechanism
This is an instruction-only skill with included scripts and no install spec — nothing is downloaded or installed by the skill itself. The risk surface is limited to executing the provided scripts and the external CLIs they call.
!
Credentials
The declared environment variables (GEMINI_API_KEY, ELEVENLABS_API_KEY) are appropriate for the LLM and TTS usage. However, the scripts rely heavily on the 'gog' CLI for Google Sheets/Drive access but the skill does not declare or request any Google credentials, service-account keys, or config paths. That omission is a coherence gap: a user must ensure gog is authenticated (likely with Google OAuth or a service account) before running. Also treat API keys as sensitive — the skill will use them to make network requests to external services.
Persistence & Privilege
The skill is not persistent (always:false), is user-invocable, and does not modify other skills or system-wide configs. It only runs the included scripts and external CLIs when invoked.
Scan Findings in Context
[static-scan-none] expected: No regex-based findings were detected by the static scanner. This does not remove the runtime concerns noted above (shell=True usage, missing declared Google auth).
What to consider before installing
Before installing or running this skill: - Verify gog, gemini, and sag are the exact CLIs you expect and are installed from trusted sources. CLI supply-chain risk is real. - Confirm how your machine is authenticated to Google (gog). The skill will read and write Google Sheets and upload files to Drive; the repository does not declare the Google credentials/config required — ensure you only grant a least-privilege account or folder access, not broad account access. - Protect API keys: GEMINI_API_KEY and ELEVENLABS_API_KEY are required; treat them as secrets and avoid exposing them to shared environments. - Review and harden scripts: replace the shell=True pattern in scripts/fix_update.py (which injects /tmp/french_learning_output_data.json via a shell substitution) with a safe non-shell subprocess call that reads the file directly or passes JSON as an argument. The current pattern could allow command injection if an attacker can control the temp file. - Consider running first in a sandbox or with a restricted Google service account that only has write access to the intended Sheet/Drive folder, and audit the folder after a test run. - If you do not want the skill to upload to your Drive, do not provide the Drive Folder ID or run the generate_audio script until you have validated outputs locally. If you want, I can point out the exact lines to change to eliminate the shell invocation and make the scripts safer.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🇫🇷 Clawdis
Binssag, gog, gemini
EnvGEMINI_API_KEY, ELEVENLABS_API_KEY
Primary envGEMINI_API_KEY
latestvk97esa0fx6wfyc38g8sdy3n1ss83jq0k
92downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@clairproqc-star
latest
Download

French Learning Skill

This skill automates the creation of French learning materials.

Resource Locations

  • Configuration: Refer to references/config.md for target Google Sheet and Drive Folder IDs.
  • Scripts: Automation logic resides in scripts/.

Prerequisites

  1. Google Sheet Setup: Ensure you have access to the target Google Sheet: https://docs.google.com/spreadsheets/d/1Nnwv4DbbUgfiNDiJdgCvnyxH6oPBis_99fm-2voehl4.
  2. Google Drive Folder: You must provide a Google Drive Folder ID where the generated audio files will be saved.
  3. ElevenLabs API Key: The ELEVENLABS_API_KEY environment variable must be set to use the sag TTS skill for audio generation.

Standard Workflows

1. Format Excel to Google Sheet

scripts/format_excel.py — Reads source Sheet, calls Gemini for Chinese translation + example sentences, writes 6 columns (Index, Fr Original, En Translation, Chinese Translation, Example Sentence (FR), Example Sentence (CN)) into target Sheet, then applies wrap text (wrapStrategy: WRAP) to all cells so long sentences stay within the cell.

2. Generate & Upload Audio

scripts/generate_audio.py — Fetches Example Sentence (FR) + Index, chunks into batches of 20, generates MP3 via ElevenLabs (sag skill), uploads to specified Drive folder named 1-20.mp3, 21-40.mp3, etc. Requires Drive Folder ID.

Comments

Loading comments...