ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spreadsheet

v1.0.0

Read, write, and analyze tabular data with schema memory, format preservation, and multi-platform support.

2· 2.2k·26 current·27 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions (CSV, Excel, Google Sheets support with schema memory). However, the SKILL.md and templates reference a Google service account file (e.g., 'credentials.json' / '~/credentials.json') and Python libraries (pandas, openpyxl, googleapiclient) while the registry metadata lists no required env vars, credentials, or dependencies. The omission of a declared credential/config requirement is a design inconsistency (not necessarily malicious) that users should be aware of.
Instruction Scope
Instructions stay within the stated scope: they operate on user-provided sheets, local files, and a dedicated ~/spreadsheet/ memory directory. The Google Sheets instructions explicitly require a service-account file for API access; aside from that, there are no instructions to access unrelated system files or external endpoints beyond Google Sheets API. The skill will persist metadata (sheet IDs, URLs, service_account paths) in ~/spreadsheet/ which may contain sensitive links/paths.
Install Mechanism
There is no install spec (instruction-only), which minimizes supply-chain risk. However, the documentation presumes Python libraries (pandas, openpyxl, googleapiclient/google.oauth2) will be available. The skill does not declare these dependencies or provide installation steps, so the agent or user may need to install packages from PyPI; that step is not described and could lead to ad-hoc installs.
!
Credentials
Registry metadata lists no required credentials or env vars, yet the runtime docs and project template expect a service-account JSON (credentials.json / ~/credentials.json) for Google Sheets access and suggest storing that path in project memory. This mismatch is notable: the skill will use a credential file if provided but does not request or declare it up front. Storing paths or credentials in ~/spreadsheet/ increases chance of persistent sensitive data exposure if users place secrets there.
Persistence & Privilege
The skill persists data under ~/spreadsheet/ (memory.md, projects/, templates/, exports/) and instructs creating that tree on first use. It does not request elevated platform privileges, does not set always:true, and does not claim to modify other skills or system-wide settings. Users should expect persistent files in their home directory.
What to consider before installing
This skill appears to do what it says (CSV/Excel/Google Sheets handling) but has a few inconsistencies to watch for: - Credentials: The docs require a Google service-account JSON file (e.g., credentials.json) but the registry metadata does not declare any required credentials or config paths. If you use Google Sheets, prepare a dedicated, least-privileged service account and store its key securely (avoid leaving raw JSON in shared memory files). - Persistent storage: The skill will create and write files under ~/spreadsheet/. Project files may contain sheet IDs, URLs, and paths to credential files—review and remove sensitive entries when not needed. - Dependencies: The skill expects Python libraries (pandas, openpyxl, googleapiclient) but gives no install instructions. Install packages from trusted sources and consider running the skill in a controlled environment (virtualenv/container). Before installing or enabling the skill: verify how it will be executed (which Python/runtime), decide where credential files will live, limit permissions of any Google service account you provide, and inspect the created ~/spreadsheet/ files periodically. If you need stronger assurance, ask the author for a dependency list and an explicit statement of how credentials are used and stored.

Like a lobster shell, security has layers — review code before you run it.

latestvk974gz4yyqg8z92kbpan7nfq2x81acnz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
OSLinux · macOS · Windows

Comments