gspread-sheets
PassAudited by ClawScan on May 10, 2026.
Overview
Benign overall: this is a coherent Google Sheets automation guide, but it needs a Google service-account key and can make bulk or destructive sheet changes.
Use this skill only when you need Google Sheets API automation. Keep the service-account key private, share only the necessary spreadsheets with that account, pin package versions if you install the Python libraries, and ask the agent to confirm exact spreadsheet IDs and ranges before any clear, replace, delete, or bulk update action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the service-account key is exposed or too many files are shared with that account, the agent or any script using the key could read or modify those spreadsheets.
The skill requires Google service-account credentials and requests Sheets plus Drive API scope. That is expected for Google Sheets automation, but it grants access to spreadsheets and Drive items shared with the service account.
Service account JSON key file required... `GOOGLE_SERVICE_ACCOUNT_JSON=/path/to/key.json` ... SCOPES = ['https://www.googleapis.com/auth/spreadsheets', 'https://www.googleapis.com/auth/drive']
Use a dedicated least-privilege service account, share only the target spreadsheets, store and rotate the key securely, avoid pasting the key into prompts, and consider narrower scopes when possible.
A mistaken target spreadsheet, worksheet, or range could overwrite, clear, or delete important Google Sheets data.
The examples include bulk writes, appends, clearing ranges or sheets, and deleting worksheets. These are disclosed and aligned with the stated purpose, but they are high-impact operations if run on the wrong sheet or range.
`ws.update(...)`, `ws.append_rows(...)`, `ws.clear()`, `ws.batch_clear(...)`, `sh.del_worksheet(ws)`
Before running destructive or bulk operations, require confirmation of the spreadsheet ID, worksheet name, affected ranges, and whether a backup or dry run is needed.
Package behavior could change over time, and installation depends on the user's Python package source and environment.
The setup instructions rely on external PyPI packages without pinned versions. This is normal for a Python library integration, but the reviewed artifacts do not lock package versions or provide provenance.
pip install gspread google-auth
Install from a trusted package index, pin reviewed versions in your project, and use a virtual environment.