Is google-sheets safe?

https://clawhub.ai/byungkyu/google-sheets

72
CAUTION

This Google Sheets skill is a documentation-only package with no executable code, install hooks, or direct malicious behavior. However, its architecture routes all Google Sheets API traffic through a third-party proxy (Maton), giving that operator full visibility into user data. The skill also contains a cross-reference that could trigger installation of a broader API gateway skill. No canary files were compromised and no suspicious network activity was observed during installation.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (9)

MEDIUM Cross-skill installation directive -15

The skill description contains an explicit instruction to use another skill ('For other third party apps, use the api-gateway skill') with a direct URL to clawhub.ai/byungkyu/api-gateway. This could cause an agent to automatically fetch or install a second skill, expanding the attack surface without explicit user consent.

MEDIUM Agent-executable code patterns in markdown -10

The skill provides numerous python <<'EOF' heredoc patterns that an LLM agent would be expected to execute directly. While these are legitimate API examples, they establish a pattern where the agent routinely executes network-calling code from skill instructions, which could be exploited if the skill content were modified.

MEDIUM Broad environment variable access request -10

The skill requires MATON_API_KEY which grants full account-level access to Maton's platform, including the ability to create and delete OAuth connections, not just read/write spreadsheet data.

HIGH Third-party API gateway as data proxy -25

All Google Sheets API calls are routed through gateway.maton.ai rather than directly to sheets.googleapis.com. This means Maton has the technical ability to intercept, log, modify, or exfiltrate all spreadsheet data. Users have no visibility into what Maton does with data in transit.

MEDIUM OAuth token managed by third party -10

The user's Google OAuth token is stored and injected by Maton's servers. The user never sees or controls their own OAuth token — Maton maintains persistent access to the user's Google account until the connection is explicitly deleted.

LOW Sensitive file reads during install phase -20

The filesystem monitor detected reads of .env, .aws/credentials, .profile, and .bashrc during the install phase. These appear attributable to the OpenClaw agent runtime rather than the skill itself, but the pattern warrants noting.

INFO No executable code in skill package 0

The skill consists entirely of markdown documentation, metadata JSON, and a license file. There are no executable scripts, install hooks, git hooks, submodules, or symlinks.

MEDIUM Man-in-the-middle proxy architecture -30

The fundamental architecture of this skill places a third party (Maton) between the user and Google's API. This is a deliberate design choice that trades user data sovereignty for convenience. A sophisticated attacker who compromised Maton's infrastructure would gain access to all users' Google Sheets data.

LOW Skill combination risk with filesystem-capable skills -20

If this skill is active alongside skills with filesystem access, the MATON_API_KEY environment variable could be read and exfiltrated, granting persistent third-party access to the user's Google Sheets.