Google Sheet API
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: google-sheet-api Version: 1.0.1 The OpenClaw skill provides a Google Sheets CLI, which is clearly documented and implemented using the official `googleapis` library. Credential handling is robust, supporting standard environment variables and file paths (including `~/.config/google-sheets/credentials.json`), which is necessary for its functionality. There is no evidence of data exfiltration, malicious execution, persistence, obfuscation, or prompt injection attempts against the agent in any of the analyzed files (SKILL.md, scripts/sheets-cli.js, package.json, etc.). All behaviors align with the stated purpose of managing Google Sheets.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing or invoking the skill must protect the service-account key; the skill can access spreadsheets that are shared with that account.
The skill intentionally uses Google service-account credentials from environment variables or local credential files to access Google Sheets.
Supported sources (first match wins): `GOOGLE_SHEETS_CREDENTIALS_JSON` ... `GOOGLE_APPLICATION_CREDENTIALS` ... `~/.config/google-sheets/credentials.json`
Use a dedicated least-privilege service account, share only the intended spreadsheets, avoid broad production keys, store keys securely, and rotate credentials if exposed.
A mistaken command or wrong spreadsheet ID/range could overwrite, clear, restructure, or delete spreadsheet content.
The CLI exposes write, clear, delete, and raw batch update operations against Google Sheets.
Data: `read`, `write`, `append`, `clear`, `batchGet`, `batchWrite` ... Sheets: `create`, `info`, `addSheet`, `deleteSheet`, `renameSheet` ... Advanced: `batch` (raw `spreadsheets.batchUpdate` requests)
Confirm spreadsheet IDs, ranges, and request payloads before write/delete/batch commands; keep backups for important sheets; prefer read-only workflows when only reading.
Future installations could pull a different googleapis package version than the one originally tested.
The skill relies on an npm dependency with a semver range, so installs may resolve to newer compatible versions rather than a fully pinned dependency set.
"dependencies": { "googleapis": "^140.0.0" }For production use, install with a lockfile or pin exact dependency versions and review the dependency source.