Spreadsheet
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent spreadsheet helper, but users should notice that it can write to spreadsheets, use Google Sheets credentials, and keep local spreadsheet metadata.
This skill appears safe for its stated spreadsheet purpose. Before installing or using it, decide where ~/spreadsheet/ should live, avoid storing secrets there, use a narrowly shared Google service account if Google Sheets is enabled, and review any proposed write or append operation before it is applied.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked for a write task, the agent may change cells or append rows in a Google Sheet.
The skill documents Google Sheets update and append operations, which can modify remote spreadsheet data. This is purpose-aligned for a spreadsheet read/write skill and the SKILL.md says spreadsheets should be user-requested.
service.spreadsheets().values().update(...).execute(); service.spreadsheets().values().append(...).execute()
Review target spreadsheet IDs, ranges, and values before approving write operations, and keep backups for important sheets.
A configured service account could read and modify Google Sheets that you share with it.
The Google Sheets workflow uses a service-account credential with spreadsheet API scope and requires Editor access on shared sheets. This is expected for automation, but it grants meaningful read/write authority over sheets shared with that account.
Credentials.from_service_account_file('credentials.json', scopes=['https://www.googleapis.com/auth/spreadsheets']) ... Service account needs Editor accessUse a dedicated service account, share only the specific sheets needed, protect the credentials file, and revoke access when no longer needed.
Spreadsheet metadata may persist across sessions and influence later spreadsheet tasks.
The skill intentionally stores persistent spreadsheet metadata for reuse. This is disclosed and scoped to ~/spreadsheet/, but the stored context may include private sheet identifiers, paths, schemas, and preferences.
Memory lives in `~/spreadsheet/` ... `memory.md` # Preferences, recent sheets, format rules ... `projects/{name}.md` # Sheet IDs, columns, formulasPeriodically review ~/spreadsheet/, avoid storing secrets or sensitive financial details there, and remove stale or incorrect project memory.