ClawHub

Google Sheet API

v1.0.1

OpenClaw skill that installs a Google Sheets CLI with setup steps and commands for read/write, batch, formatting, and sheet management.

3· 1.9k·5 current·5 all-time
by@codedao12
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, SKILL.md, package.json, and scripts/sheets-cli.js all implement a Google Sheets CLI (read/write/batch/format/sheet management) and the requested dependencies (googleapis) are appropriate.
Instruction Scope
Runtime instructions are focused on installing and running the CLI and on providing service-account credentials; they do not instruct the agent to collect unrelated system data or post to unexpected endpoints.
Install Mechanism
There is no registry install spec; SKILL.md directs users to run npm install which pulls a standard dependency (googleapis) from npm — expected for a Node CLI.
Credentials
The skill legitimately requires Google service-account credentials (multiple env var and file-path options are documented). Registry metadata lists no required env vars, which is a minor mismatch with the SKILL.md and runtime behavior. The tool searches common local paths (including the user home path), so it may pick up credentials from the working directory or ~/.config automatically — this is convenient but could result in using an unexpected key if multiple credentials exist. There is a small inconsistency in an env var name in code (GOOGLE_SERVICE_ACCOUNT_JSON) that isn't documented in SKILL.md.
Persistence & Privilege
The skill is not always-enabled, does not request elevated platform privileges, and does not modify other skills or system-wide agent settings.
Assessment
This skill appears to be a legitimate Google Sheets CLI that requires a Google service account key. Before installing: (1) Only provide a service-account JSON you control and never commit it to source control; (2) be aware the CLI will look for credential files in the current directory and in ~/.config, so run it in a controlled folder or set the explicit env var (e.g., GOOGLE_SERVICE_ACCOUNT_KEY or GOOGLE_SHEETS_CREDENTIALS_JSON) to the intended path/inline JSON; (3) review scripts/sheets-cli.js yourself if you want to confirm it doesn't contact any non-Google endpoints; (4) run npm install in an environment where pulling googleapis from npm is acceptable. The main issues are a small metadata/documentation mismatch about required env vars and a minor env-var name inconsistency — these are not indicators of malicious behavior but you should confirm which credential the CLI will actually use on your system.

Like a lobster shell, security has layers — review code before you run it.

latestvk971rc6sxg2qhzw8pf5yr0njes80dsrn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments