Multi-API Data Pipeline to Google Sheets
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill describes an expected API-to-Google-Sheets automation, but it asks users to supply powerful API and Google credentials and to run recurring syncs.
Before installing, make sure you are comfortable giving this skill access to the target Google Sheet and the selected API services. Use least-privileged credentials, test on a non-production sheet, define exactly what data should sync, and review log/buffer retention so sensitive business data is not stored longer or shared more broadly than intended.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If overly broad credentials are supplied, the pipeline could access more API or spreadsheet data than intended.
The skill requires a Google service account credential and one or more third-party API credentials. This is expected for the stated API-to-Sheets pipeline, but these credentials can grant meaningful account access.
`GOOGLE_SERVICE_ACCOUNT_JSON` | Google Service Account key ... `[SERVICE]_API_KEY` | One secret per connected API
Use least-privileged API keys, read-only source API scopes where possible, and a Google service account limited to the specific target sheet.
A bad API response, incorrect mapping, or misconfigured schedule could repeatedly update the live Google Sheet with incorrect data.
The skill is designed to perform recurring automated writes to a live dashboard. This is core to the purpose, but recurring automation can repeatedly propagate bad data if configuration or transformation logic is wrong.
updates automatically on your chosen schedule (every 15 minutes, hourly, daily)
Test with a separate sheet first, define exact sheet tabs/ranges, keep backups or version history, and monitor the run log after enabling a schedule.
Pipeline data or error details may remain in local files or in the `_run_log` sheet tab after runs.
The skill creates persistent local logs and may temporarily buffer pipeline data. It also says not to store raw credentials, which mitigates credential leakage, but data/log retention is not fully specified.
Pipeline run log: `logs/pipeline_YYYY-MM-DD.txt` ... If Google Sheets write fails, buffer data locally and retry up to 3 times
Avoid syncing highly sensitive data unless necessary, redact logs, set a retention policy, and store local buffers/logs in a protected location.
Users may need additional setup that is not represented in the registry metadata.
SKILL.md lists runtime dependencies, while the provided registry metadata says there are no required binaries or env vars and no install spec. This is an incomplete declaration, not evidence of malicious behavior.
requires: [python3, requests, pandas, gspread, google-auth-oauthlib]
Confirm dependency installation and secret setup manually before use, and prefer pinned, trusted package sources if code is later added.