Google Sheets

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Google Sheets integration, but it gives an agent broad authenticated ability to modify or clear spreadsheets without clear confirmation safeguards.

Install only if you trust Membrane and are comfortable connecting the intended Google account. Before using it, require the agent to confirm the spreadsheet, range, action, and exact intended changes before any append, update, batch update, clear, copy, create, or proxy request, especially on sensitive or business-critical sheets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill advertises write-capable and destructive spreadsheet actions like clear, append, update, and copy without any guardrails about confirmation, scope validation, or irreversible data changes. In an agent setting, this increases the risk of unintended modification or deletion of user data if the model selects a write action from ambiguous instructions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The proxy request section permits arbitrary API paths and destructive HTTP methods including POST, PUT, PATCH, and DELETE, while emphasizing convenience rather than risk. In a connected environment with valid credentials, this broad raw request capability can bypass safer pre-built actions and enable unintended mass edits, deletion, or misuse of accessible Google Sheets resources.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal