Skill to manage and update google sheet
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: google-sheet Version: 1.0.0 The OpenClaw AgentSkills skill bundle for Google Sheets is classified as benign. The `SKILL.md` provides clear, functional instructions for interacting with Google Sheets and does not contain any prompt injection attempts against the agent. The `scripts/sheets.js` code implements the stated functionality using the official `googleapis` SDK. While it accesses local files and environment variables (`GOOGLE_SERVICE_ACCOUNT_KEY`, `GOOGLE_SHEETS_KEY_FILE`, `service-account.json`, `credentials.json` in various paths) for authentication, this is a necessary and expected behavior for a Google Cloud service account. There is no evidence of data exfiltration to unauthorized endpoints, malicious code execution, persistence mechanisms, or obfuscation. All network calls are directed to the legitimate Google Sheets API.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using this skill with that key can read and change spreadsheets shared with the service account.
The script reads a local Google service-account key and requests the full Google Sheets read/write scope, which is expected for this skill but gives real delegated authority over shared spreadsheets.
const credentials = JSON.parse(fs.readFileSync(credPath, 'utf8')); ... scopes: ['https://www.googleapis.com/auth/spreadsheets']
Use a dedicated service account, share only the specific spreadsheets needed, protect the key file, and rotate or revoke the key if it is no longer needed.
A mistaken or overbroad command could overwrite cells, clear data, or delete a sheet tab.
The documented command set includes operations that can change or remove spreadsheet data. This matches the stated purpose, but the impact can be significant if invoked on the wrong sheet or range.
`write` ... `append` ... `clear` ... `deleteSheet`
Review spreadsheet IDs, ranges, and sheet names before write, clear, or delete actions; consider requiring explicit confirmation for destructive operations.
Installing the skill will rely on npm packages, so the runtime behavior depends on that dependency chain.
The skill is described as having no install spec, but its instructions require installing Node.js dependencies. The included package-lock.json helps with provenance, and the dependency is purpose-aligned.
cd skills/google-sheets && npm install
Install from a trusted environment, keep the lockfile, and review dependency updates before upgrading.