Google Sheet API
Security checks across malware telemetry and agentic risk
Overview
This appears to be a coherent Google Sheets CLI skill, but it uses service-account credentials and can modify or delete spreadsheet data.
Install only if you are comfortable giving this skill a Google service-account key. Use a dedicated account, share only the spreadsheets it should touch, verify write/delete commands carefully, and pin npm dependencies if you rely on it for production automation.
VirusTotal
62/62 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing or invoking the skill must protect the service-account key; the skill can access spreadsheets that are shared with that account.
The skill intentionally uses Google service-account credentials from environment variables or local credential files to access Google Sheets.
Supported sources (first match wins): `GOOGLE_SHEETS_CREDENTIALS_JSON` ... `GOOGLE_APPLICATION_CREDENTIALS` ... `~/.config/google-sheets/credentials.json`
Use a dedicated least-privilege service account, share only the intended spreadsheets, avoid broad production keys, store keys securely, and rotate credentials if exposed.
A mistaken command or wrong spreadsheet ID/range could overwrite, clear, restructure, or delete spreadsheet content.
The CLI exposes write, clear, delete, and raw batch update operations against Google Sheets.
Data: `read`, `write`, `append`, `clear`, `batchGet`, `batchWrite` ... Sheets: `create`, `info`, `addSheet`, `deleteSheet`, `renameSheet` ... Advanced: `batch` (raw `spreadsheets.batchUpdate` requests)
Confirm spreadsheet IDs, ranges, and request payloads before write/delete/batch commands; keep backups for important sheets; prefer read-only workflows when only reading.
Future installations could pull a different googleapis package version than the one originally tested.
The skill relies on an npm dependency with a semver range, so installs may resolve to newer compatible versions rather than a fully pinned dependency set.
"dependencies": { "googleapis": "^140.0.0" }For production use, install with a lockfile or pin exact dependency versions and review the dependency source.