Google Sheets Agent
v1.1.1Read, write, and append to Google Sheets via service account — zero dependencies. Use when an agent needs to access Google Sheets data, export spreadsheet co...
⭐ 2· 849·2 current·2 all-time
byThe Agent Wire@theagentwire
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the actual code: the script implements JWT service-account auth and Sheets/Drive API calls without external deps. However registry metadata claims 'required env vars: none' and 'primary credential: none' while the code expects a service account key (via GOOGLE_SA_KEY_JSON, GOOGLE_SA_KEY_FILE, or 1Password). This metadata omission is an inconsistency.
Instruction Scope
SKILL.md and the script instruct the agent to load a service-account key from an env var, a local file, or by invoking the 1Password CLI. The script runs a child_process exec: op document get "Google Service Account - sheets-reader" --vault AbundanceM. That external command call and the hard-coded vault name are noteworthy: they will fail unless the user has op configured and that vault exists, and the vault name is not documented in SKILL.md. The script otherwise only contacts Google OAuth/token and Sheets/Drive APIs (expected).
Install Mechanism
Instruction-only skill with an included Node.js script; no install spec and no downloads. No archives or third-party package installs — low install risk.
Credentials
The skill requires a Google service account key (sensitive) but the registry lists no required env or primary credential. The code supports GOOGLE_SA_KEY_JSON and GOOGLE_SA_KEY_FILE but these were not declared. It also relies on the 1Password CLI as a fallback and calls it with a hard-coded vault name ('AbundanceM'), which is not justified in the SKILL.md. Requesting the service account key is expected for the stated purpose, but the metadata omission and hard-coded 1Password vault are disproportionate/opaque.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills. It caches tokens in memory only and does not write files to disk.
What to consider before installing
This script appears to implement service-account access to Google Sheets as claimed, but exercise caution: it requires a Google service-account JSON key (sensitive) even though the registry metadata does not declare it. The code will try three key sources: GOOGLE_SA_KEY_JSON, GOOGLE_SA_KEY_FILE, or running the 1Password CLI (op). Note the script calls op with a hard-coded vault name (--vault AbundanceM) which is not documented — this looks like an author-specific artifact and may cause failures or unexpected behavior. Before installing: (1) verify the script source and consider running it locally to inspect it; (2) create a dedicated, least-privileged Google service account scoped only to the sheets/drive resources you need; (3) avoid reusing high-privilege keys and consider using GOOGLE_SA_KEY_FILE/GLOBAL env instead of storing keys in third-party vault access invoked by the skill; (4) if you rely on 1Password, either update the script to reference your vault or remove the 1Password fallback; (5) confirm you trust the publisher — the metadata mismatch (no declared envs) and the hard-coded vault make this skill worth manual review before granting access to any sensitive credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97f572pb0prbr79zy7acsg7ms82eq67
License
MIT-0
Free to use, modify, and redistribute. No attribution required.