ClawAudit verdict
google-sheets-soha
Reads local files AND makes external network calls
The skill reads and analyzes Google Sheets data using service account credentials or API key (for public sheets), with behavior matching its stated read/analyze purpose.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
What it does
These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence — it does not verify that one flows into another. Read the code to confirm a live chain.
Reads local files AND makes external network calls — the capabilities for data exfiltration co-occur (data-flow not verified)
LLM02 · LLM06 · ASI03
Accesses credentials AND makes external network calls — potential credential theft
LLM02 · ASI03
Permission integrity
file_read
Findings (6)
Pipe to python — executes piped content as Python code
SKILL.md · code · | python3
Python shutil file operation — copies/moves/deletes files
SKILL.md · code · shutil.rmtree(
apt-get install — installs system packages
SKILL.md · prose · downgraded · apt-get install
Accesses OpenClaw config/secrets directly
README.md · prose · downgraded · ~/.openclaw/openclaw.json
References sudo — requests elevated privileges
README.md · prose · downgraded · sudo
Changes file ownership
README.md · prose · downgraded · chown
Permissions & capabilities
Requires 2 environment variables. (1 sensitive: name: GOOGLE_API_KEY). Requires 2 system binaries. (1 elevated: curl).
network_outcredential_accessfile_read Thanks — recorded.