Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sheet Data Enrichment
v1.0.0Enrich spreadsheet data by fetching external sources (URLs, APIs) to fill missing columns, then aggregate results into summary sheets. Use when: (1) a spread...
⭐ 0· 43·1 current·1 all-time
byRong@kylinr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims it works with Feishu Sheets, Google Sheets, and local CSV/Excel, and it explicitly references a 'feishu_sheet' action and browser automation vs 'web_fetch'. However the manifest declares no required environment variables, no primary credential, and no required binaries. Accessing Feishu or Google Sheets typically requires credentials/API tokens; browser automation normally requires a headless browser binary or an automation service. The lack of declared credentials/runtime requirements is disproportionate to the stated capabilities.
Instruction Scope
SKILL.md gives detailed runtime instructions that stay within the stated goal: reading sheets, classifying URLs, fetching pages (web_fetch or browser), extracting data with patterns, verifying, and writing single-cell ranges back. It does not instruct reading unrelated system files or environment variables. However, it relies on platform-provided actions (web_fetch, browser, feishu_sheet) and sample JS snippets to run in page context — the manifest doesn't specify that these actions exist or how they're authorized.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes disk-level risks. There is nothing downloaded or written by an installer. That said, because it relies on network fetching and browser automation, the runtime environment must provide those tools; the skill does not state requirements.
Credentials
No environment variables or credentials are declared, yet the instructions require write access to spreadsheets (Feishu/Google) and the ability to fetch arbitrary external URLs and run browser automation. At minimum, Feishu/Google API tokens and possibly browser/runtime service credentials would be expected. The lack of declared secrets is a mismatch and prevents a clear security assessment of what will be accessed if the skill is used.
Persistence & Privilege
The skill is not marked always:true and does not request persistent presence or modify other skills. Autonomous invocation is allowed (platform default), but there are no additional privileges requested in the manifest.
What to consider before installing
This skill's instructions are plausible for the advertised job, but the package metadata omits critical runtime requirements. Before installing or running: (1) ask the publisher how authentication for Feishu/Google Sheets is handled and what credentials you'll need; never supply full-account keys—use least-privilege API tokens or a service account limited to the target spreadsheet. (2) Confirm whether your platform provides 'web_fetch' and a browser automation runtime (headless browser) or whether you must install them; running browser automation can increase risk and resource use. (3) Test on a copy of any real spreadsheet and restrict write permission to the minimum needed. (4) Verify a sample of automatic writes before allowing bulk operations to avoid off-by-one or row-alignment errors. (5) If you require privacy guarantees, ask how fetched page content and extracted data are logged, stored, or transmitted; the SKILL.md does not describe data retention or external endpoints. If the author cannot explain how auth and runtime tooling are provided, treat this skill as too risky to run with sensitive spreadsheets.Like a lobster shell, security has layers — review code before you run it.
latestvk97dqx0n2b1t51hdpy3xnk6j6583pt1g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.