ClawHub

Agent Sheet

Security checks across malware telemetry and agentic risk

Overview

This spreadsheet skill can read and change local workbooks, but the artifacts disclose that purpose and include scoped targeting and verification guidance with no evidence of hidden data sharing or destructive intent.

Install this only if you intend to let an agent inspect and modify local spreadsheets. Keep workbook IDs, sheets, and ranges explicit; review broad clears, deletes, and sheet lifecycle actions before running them; verify changed ranges and exported files afterward; and consider pinning the npm package version in sensitive environments instead of relying on agent-sheet@latest.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reference documents destructive workbook capabilities such as sheet deletion, row/column deletion, and structural edits, but it does not instruct agents to confirm intent, warn about irreversible changes, or prefer non-destructive alternatives. In an agent-facing skill, omission of those guardrails can lead to unintended data loss from ambiguous prompts or overbroad automation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The API reference exposes clearContent(), deleteCells(), and related mutating operations without a warning that these actions can irreversibly remove spreadsheet data or shift surrounding cells. Because this file is positioned as operational guidance for agents, that omission increases the chance an agent will perform destructive edits without adequate verification.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guidance teaches a correct technical pattern for deleting rows backward, but frames it purely as an indexing concern and omits that row deletion is destructive and should only occur after explicit user approval. In an automation context, technically accurate deletion guidance without safety checks can normalize irreversible bulk deletion from loosely specified tasks.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal