Google Sheet API
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing or invoking the skill must protect the service-account key; the skill can access spreadsheets that are shared with that account.
The skill intentionally uses Google service-account credentials from environment variables or local credential files to access Google Sheets.
Supported sources (first match wins): `GOOGLE_SHEETS_CREDENTIALS_JSON` ... `GOOGLE_APPLICATION_CREDENTIALS` ... `~/.config/google-sheets/credentials.json`
Use a dedicated least-privilege service account, share only the intended spreadsheets, avoid broad production keys, store keys securely, and rotate credentials if exposed.
A mistaken command or wrong spreadsheet ID/range could overwrite, clear, restructure, or delete spreadsheet content.
The CLI exposes write, clear, delete, and raw batch update operations against Google Sheets.
Data: `read`, `write`, `append`, `clear`, `batchGet`, `batchWrite` ... Sheets: `create`, `info`, `addSheet`, `deleteSheet`, `renameSheet` ... Advanced: `batch` (raw `spreadsheets.batchUpdate` requests)
Confirm spreadsheet IDs, ranges, and request payloads before write/delete/batch commands; keep backups for important sheets; prefer read-only workflows when only reading.
Future installations could pull a different googleapis package version than the one originally tested.
The skill relies on an npm dependency with a semver range, so installs may resolve to newer compatible versions rather than a fully pinned dependency set.
"dependencies": { "googleapis": "^140.0.0" }For production use, install with a lockfile or pin exact dependency versions and review the dependency source.