Google Sheets Agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill mostly matches its Google Sheets purpose, but it handles powerful service-account credentials and its read commands request write-capable Google Sheets scope despite claiming read-only scope.
Review and possibly adjust the code before installing. Use a dedicated Google service account, share only the sheets the agent needs, give Viewer access for read-only tasks, and be aware that the current implementation requests write-capable Sheets scope for read operations.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the service account has editor access to a spreadsheet, a supposedly read-only use still obtains a token capable of writing to sheets.
The read/meta paths call sheetsApi without passing a read-only scope, so the script requests the full Google Sheets read/write OAuth scope even though SKILL.md says read commands use spreadsheets.readonly.
async function getAccessToken(scope = 'https://www.googleapis.com/auth/spreadsheets') ... async function readSheet(sheetId, range = 'Sheet1!A:ZZ') { return sheetsApi(`${sheetId}/values/${encodeURIComponent(range)}`); }Change read/meta to request spreadsheets.readonly, or clearly document that all Sheets API calls may use full Sheets scope. Share the service account as Viewer unless writes are required.
Anyone running the skill gives the agent access to whatever Google Sheets are shared with that service account.
The script can load a Google service-account private key from an environment variable, a local file, or 1Password. This is purpose-aligned, but it is sensitive credential handling and the 1Password vault name is hard-coded.
if (process.env.GOOGLE_SA_KEY_FILE) ... readFileSync(process.env.GOOGLE_SA_KEY_FILE, 'utf8') ... execAsync('op document get "Google Service Account - sheets-reader" --vault AbundanceM')Use a dedicated least-privilege service account, share only the needed spreadsheets, verify the credential source, and avoid giving editor access unless the agent must write.
An agent using this skill can change spreadsheet contents, which may affect business records or shared data.
The skill exposes append and overwrite operations that take JSON rows from stdin and write them to a specified sheet/range. This matches the stated purpose but can modify cloud spreadsheet data.
case 'append': ... result = await appendRows(args[0], args[1], await readStdin()); ... case 'write': ... result = await writeRange(args[0], args[1], await readStdin());
Before allowing writes, confirm the exact spreadsheet ID, tab/range, and rows to be changed; keep backups or version history available.