Google Sheets API
Security checks across malware telemetry and agentic risk
Overview
This appears to be a legitimate Google Sheets CLI skill, but it can use service-account credentials to read and change shared spreadsheets, so it should be configured narrowly.
Before installing, make sure you are comfortable giving this skill a Google service account. Share only the spreadsheets it truly needs, keep the key file private, and manually review any write, clear, deleteSheet, or raw batch command before running it.
VirusTotal
62/62 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill must provide a service account that can access the spreadsheets shared with it; the skill can then act with that account's permissions.
The skill is designed to use Google service-account credentials from environment variables or local files. That is purpose-aligned for Google Sheets automation, but it is sensitive delegated access.
Supported sources (first match wins): - `GOOGLE_SHEETS_CREDENTIALS_JSON` ... - `GOOGLE_APPLICATION_CREDENTIALS` ... - `~/.config/google-sheets/credentials.json`
Use a dedicated service account, share only the specific spreadsheets needed, keep keys out of source control, and prefer read-only scope for read-only workflows.
If invoked with the wrong spreadsheet ID, range, sheet name, or batch request, the skill could overwrite, clear, rename, or delete spreadsheet data.
The command list openly includes mutating and destructive spreadsheet operations plus a raw batchUpdate escape hatch. These are coherent with an advanced Sheets CLI, but mistakes could change or delete spreadsheet content.
Data: - `read`, `write`, `append`, `clear`, `batchGet`, `batchWrite` ... Sheets: - `create`, `info`, `addSheet`, `deleteSheet`, `renameSheet` Advanced: - `batch` (raw `spreadsheets.batchUpdate` requests)
Review mutating commands before use, keep backups for important sheets, and avoid raw batch requests unless the request body is understood.
A future dependency update could change installed code behavior compared with the reviewed version.
The skill installs the Google APIs client from npm using a semver range. This is expected for a Node-based Google Sheets CLI, but dependency versions are not fully pinned in the provided artifacts.
"dependencies": {
"googleapis": "^140.0.0"
}Install from a trusted source and consider pinning dependencies with a lockfile for reproducible installations.