ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Sheets via gog

v1.1.0

Use this skill when you need to create, inspect, update, append to, or reorganize Google Sheets from a locally installed `gog` CLI. It is for local Google ac...

0· 201·0 current·0 all-time
byIvan Kochergin@kvarts

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kvarts/google-sheets-gog.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Google Sheets via gog" (kvarts/google-sheets-gog) from ClawHub.
Skill page: https://clawhub.ai/kvarts/google-sheets-gog
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: gog
Config paths to check: skills.entries.gogSheets.config.login, skills.entries.gogSheets.config.password
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install google-sheets-gog

ClawHub CLI

Package manager switcher

npx clawhub@latest install google-sheets-gog
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description, required binary (gog), and Homebrew install align with operating Google Sheets via a local CLI. However, the skill requires OpenClaw config paths for login and password (skills.entries.gogSheets.config.login and .password) even though SKILL.md explains operations use local gog OAuth; that config gating is disproportionate to the stated purpose and is unexplained.
Instruction Scope
SKILL.md confines actions to running gog CLI commands, managing local OAuth client JSON, and setting GOG_ACCOUNT — all appropriate for the stated purpose. It explicitly warns about confirmations for destructive ops. The only scope concern is the gate that forces config.login/config.password to be present to load the skill (the instructions do not use those values), which could lead to storing secrets in config despite guidance to avoid that.
Install Mechanism
The install spec is a Homebrew formula (gogcli) that creates a gog binary. This is a standard, low-risk install mechanism; no arbitrary downloads or extraction from unknown hosts are used.
!
Credentials
The skill does not require external API keys beyond local gog OAuth, which is appropriate, but demanding a login and password config entry (named in required config paths) is disproportionate and potentially risky. That pairing looks like unnecessary credential gating and may encourage placing secrets in OpenClaw config even though the runtime uses the local gog OAuth client JSON instead.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges or modify other skills. It is instruction-only (no code files) so it does not install persistent code beyond the Homebrew binary. Autonomous invocation is allowed by default, which is normal; there is no 'always: true' or other elevated persistence.
What to consider before installing
This skill appears to do what it says (drive the local gog CLI against Google Sheets), but it has one odd and potentially risky requirement: OpenClaw will only load the skill if you set skills.entries.gogSheets.config.login and .password. That requirement is not used by the documented gog workflow and could encourage storing a password in your OpenClaw config. Before installing: - Avoid putting real passwords or long-lived secrets into OpenClaw config; prefer environment variables or the recommended local gog OAuth flow. - Verify the Homebrew 'gogcli' formula comes from the upstream repository (https://github.com/steipete/gogcli) and inspect the formula if you care about supply-chain risk. - Confirm you are comfortable running a local CLI that uses a Google OAuth client JSON (you must manage the OAuth credentials and enable the Sheets API in your GCP project). - If you do not want the skill to be autonomously invoked, restrict agent permissions or avoid enabling the skill; autonomous invocation is allowed by default but not in itself an additional red flag here. If the presence of the login/password gating is unexplained in your environment, ask the skill author or maintainers why those config keys are required and consider removing or setting them to non-sensitive placeholders before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📊 Clawdis
Binsgog
Configskills.entries.gogSheets.config.login, skills.entries.gogSheets.config.password

Install

Install gog (Homebrew)
Bins: gog
brew install gogcli
latestvk97dmyxtmtng79v8e1eyakxjr9838mwt
201downloads
0stars
2versions
Updated 22h ago
v1.1.0
MIT-0
Ivan Kochergin@kvarts
latest
Download

Google Sheets via gog

Use this skill to operate on Google Sheets through the local gog CLI instead of a hosted API bridge. It is intended for spreadsheet CRUD work on the user's own Google account with local OAuth.

Prerequisites

  • gog must be installed locally.
  • OpenClaw only loads this skill when skills.entries.gogSheets.config.login and skills.entries.gogSheets.config.password are both set.
  • The user must have a Google Cloud Desktop OAuth client JSON.
  • The Google Sheets API must be enabled in that Google Cloud project.
  • The agent should prefer the exact spreadsheet ID, tab name, and A1 range before running commands.

OpenClaw Config

Use gogSheets as the OpenClaw config key:

{
  skills: {
    entries: {
      gogSheets: {
        enabled: true,
        config: {
          login: "you@gmail.com",
          password: "app-specific-or-local-secret"
        }
      }
    }
  }
}

login and password are load-time gating requirements for OpenClaw. They make the skill eligible to load, but the sheet operations below still use local gog OAuth unless you later add separate automation around those config values.

If you do not want to store raw secrets directly in config, prefer using skills.entries.gogSheets.env or apiKey alongside this config and keep prompts free of secrets.

Setup

  1. Store the OAuth client credentials:
gog auth credentials ~/Downloads/client_secret_....json
  1. Authorize the account for Sheets:
gog auth add you@gmail.com --services sheets
  1. If Sheets access is being added later to an existing account and Google does not return a refresh token, re-run with consent forced:
gog auth add you@gmail.com --services sheets --force-consent
  1. Select the account for subsequent commands:
export GOG_ACCOUNT=you@gmail.com

Or pass --account you@gmail.com on each command.

Working Rules

  • Prefer --json for reads when the result will be parsed or summarized.
  • Prefer precise spreadsheet IDs over titles.
  • Prefer exact A1 ranges such as Sheet1!A1:D20.
  • If a subcommand or flag is uncertain, inspect help with gog sheets --help or gog <subcommand> --help before executing.
  • Keep commands scoped to Sheets by default. If sandboxing is needed, use GOG_ENABLE_COMMANDS=sheets.
  • Remember that OpenClaw gating checks gog on the host at skill load time; sandboxed runs also need gog installed inside the container.
  • For read-only inspection sessions, prefer re-auth with --readonly instead of assuming write scopes are acceptable.

Safety Policy

Before any destructive or broad write, explicitly state:

  • target spreadsheet ID
  • target tab or named range
  • exact range or object being changed
  • operation being performed

Ask for confirmation before:

  • clear on any range
  • find-replace across a whole spreadsheet or large tab
  • deleting tabs
  • deleting named ranges
  • broad formatting, merge, unmerge, resize, or freeze changes
  • insert operations that shift existing rows or columns
  • overwriting a large existing range with update

Direct reads and narrowly scoped appends or cell updates can proceed without a separate confirmation when the user request is already explicit.

Common Tasks

Read spreadsheet data

  • Inspect metadata for spreadsheet structure.
  • Read a specific A1 range.
  • Read a named range when the spreadsheet already defines one.
  • Use JSON output when the data will be transformed or summarized.

See references/gog-sheets.md for command patterns.

Create and extend spreadsheets

  • Create a new spreadsheet with one or more tabs.
  • Add a new tab to an existing spreadsheet.
  • Rename a tab when requested.

Update and append data

  • Use update for direct cell or range replacement.
  • Use append for new rows.
  • If the sheet relies on data validation, preserve it with --copy-validation-from when appropriate.

Organize structure

  • Manage named ranges when the user refers to stable data blocks by name.
  • Insert rows or columns only after checking whether data shifting is intended.
  • Use formatting commands only when formatting itself is part of the task.

Failure Handling

  • If auth fails, verify credentials were stored with gog auth credentials and inspect account state with gog auth status.
  • If a command fails due to insufficient scopes, re-auth with the needed service and --force-consent.
  • If the spreadsheet target is ambiguous, stop and resolve the spreadsheet ID before mutating anything.
  • If the requested operation may require broader Google access than Sheets alone, inspect gog help first rather than guessing.

References

Comments

Loading comments...