Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Google Docs from Markdown
v1.0.1Create Google Docs from Markdown files. Use when the user wants to create a Google Doc from Markdown content, or when working with gog CLI and need to populate Google Docs with content. This skill handles the conversion Markdown → DOCX → Google Docs via Drive upload, since gog docs CLI only supports create/export/cat/copy but NOT write/update content.
⭐ 0· 2.4k·10 current·10 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly requires the gog CLI to be authenticated and pandoc to perform the conversion, but the registry metadata lists no required binaries or primary credential. That mismatch (declaring no required binaries while the workflow requires gog and pandoc) is an inconsistency — the skill should declare these dependencies.
Instruction Scope
The instructions themselves stay on‑topic (convert Markdown → DOCX → upload to Drive). However they instruct an 'auto-download' of pandoc to /tmp on first use. Auto-downloading an executable at runtime expands the scope (network fetch, write to /tmp, execute) beyond simple file conversion and isn't documented in the registry metadata.
Install Mechanism
There is no formal install spec, but the skill's runtime behavior includes auto-downloading a pandoc binary to /tmp. Runtime downloads of executables are higher risk unless the source is explicit and trusted; the SKILL.md does not specify the exact download URL or verification steps. The presence of a helper script that performs these actions increases the need to review it.
Credentials
The skill requests no environment variables or credentials in metadata, which is good. It does rely on an already-authenticated gog CLI (i.e., the user's Google credentials via gog) but does not declare that requirement in the registry fields — this is a minor proportionality/documentation issue rather than an extra privilege demand.
Persistence & Privilege
The skill is not marked always:true and has no special persistence flags. Model invocation is not disabled, so the agent could call the skill. Given the script may perform network downloads and execute a binary, allowing autonomous invocation increases risk; consider requiring explicit user invocation or disabling autonomous invocation if you want to avoid unexpected downloads.
What to consider before installing
Before installing: (1) Review the scripts/gdocs-create.sh contents to see exactly what it downloads and from where — verify the pandoc download URL is an official release (e.g., GitHub releases) and that the script verifies checksums. (2) Ensure you are comfortable with the script writing to /tmp and executing a downloaded binary. (3) Confirm you have the gog CLI installed and authenticated to the intended Google account; the skill will use that existing authentication to upload files. (4) If you want to reduce risk, run the script manually in a sandbox or container first, or modify it to use a system-installed pandoc rather than auto-downloading. Providing the script's full content or the pandoc download URL would allow a higher-confidence assessment.Like a lobster shell, security has layers — review code before you run it.
latestvk971nmzabhbr8qvd4qerhfe7pd80hpxk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.