ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gws Sheets

v1.0.12

Google Sheets: Read and write spreadsheets.

0· 668·19 current·19 all-time
by@googleworkspace-bot
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description map to a gws CLI wrapper and the skill declares the required binary 'gws', which is coherent. However, a Sheets integration normally requires explicit authentication details; this skill omits any required env vars or credentials and instead points to a ../gws-shared/SKILL.md for auth, creating an unexplained dependency outside the package.
!
Instruction Scope
SKILL.md tells the agent to read ../gws-shared/SKILL.md for auth, global flags, and security rules and references other sibling SKILL.md files. Directing the agent to read files outside the skill bundle can cause it to access unexpected local/shared configuration or secrets. The rest of the instructions simply call the 'gws' CLI which is consistent, but the external-file dependency is scope creep and unclear.
Install Mechanism
Instruction-only skill with no install spec and no files written to disk. This is low-risk from an install standpoint — nothing is downloaded or installed by the skill itself.
!
Credentials
The skill declares no required environment variables or primary credential, yet provides no details on how Google auth is provided. The note to read a shared SKILL.md implies credentials or config may live elsewhere; requiring access to external config to obtain auth without declaring it is disproportionate and opaque.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent/always-on presence or modification of other skills or global agent settings. No elevated persistence is requested.
What to consider before installing
This skill appears to be a thin wrapper around a local 'gws' CLI for Google Sheets, which can be fine — but it defers authentication and global flags to a ../gws-shared/SKILL.md file outside the skill. Before installing or enabling it: 1) Inspect the referenced ../gws-shared/SKILL.md (and any sibling SKILL.md files) to see what auth/credentials it expects and where they come from. 2) Verify the 'gws' binary on your system is from a trusted source and understand how it stores/uses Google credentials (e.g., local config, OAuth tokens, environment vars). 3) Avoid granting secrets or placing credentials in shared locations until you confirm who/what will read them. 4) If you cannot locate or inspect the shared SKILL.md, treat the skill as potentially able to read local/shared config and proceed cautiously. If you want lower risk, prefer skills that declare their auth method and required environment variables explicitly inside the package.

Like a lobster shell, security has layers — review code before you run it.

Plugin bundle (nix)
Skill pack · CLI binary · Config
SKILL.mdCLIConfig
CLI help (from plugin)
gws sheets --help

Runtime requirements

Binsgws
latestvk97527b83td8qwtcjyp33h837x83yjk9
668downloads
0stars
13versions
Updated 9h ago
v1.0.12
MIT-0
@googleworkspace-bot
latest
Download

sheets (v4)

PREREQUISITE: Read ../gws-shared/SKILL.md for auth, global flags, and security rules. If missing, run gws generate-skills to create it.

gws sheets <resource> <method> [flags]

Helper Commands

CommandDescription
+appendAppend a row to a spreadsheet
+readRead values from a spreadsheet

API Resources

spreadsheets

  • batchUpdate — Applies one or more updates to the spreadsheet. Each request is validated before being applied. If any request is not valid then the entire request will fail and nothing will be applied. Some requests have replies to give you some information about how they are applied. The replies will mirror the requests. For example, if you applied 4 updates and the 3rd one had a reply, then the response will have 2 empty replies, the actual reply, and another empty reply, in that order.
  • create — Creates a spreadsheet, returning the newly created spreadsheet.
  • get — Returns the spreadsheet at the given ID. The caller must specify the spreadsheet ID. By default, data within grids is not returned. You can include grid data in one of 2 ways: * Specify a field mask listing your desired fields using the fields URL parameter in HTTP * Set the includeGridData URL parameter to true.
  • getByDataFilter — Returns the spreadsheet at the given ID. The caller must specify the spreadsheet ID. For more information, see Read, write, and search metadata. This method differs from GetSpreadsheet in that it allows selecting which subsets of spreadsheet data to return by specifying a dataFilters parameter. Multiple DataFilters can be specified.
  • developerMetadata — Operations on the 'developerMetadata' resource
  • sheets — Operations on the 'sheets' resource
  • values — Operations on the 'values' resource

Discovering Commands

Before calling any API method, inspect it:

# Browse resources and methods
gws sheets --help

# Inspect a method's required params, types, and defaults
gws schema sheets.<resource>.<method>

Use gws schema output to build your --params and --json flags.

Comments

Loading comments...