OpenClaw skill that installs a Google Sheets CLI with setup steps and commands for read/write, batch, formatting, and sheet management.
Security Analysis
medium confidenceThe code implements a legitimate Google Sheets CLI using a service-account model, but there are inconsistencies and missing declarations (env var names, install metadata) and minor issues you should review before installing.
The skill's name, description, SKILL.md, package.json, and scripts/sheets-cli.js all align: this is a CLI for the Google Sheets API (reads/writes, batch, formatting, sheet management) using the googleapis npm package and service-account credentials.
The runtime instructions are reasonable for the stated purpose (npm install; run node scripts/sheets-cli.js). The CLI will search for credentials in env vars and on-disk locations (cwd and the user's home config path) as expected for a service-account-driven tool. There is a small inconsistency between the documented env names and the code (the code checks GOOGLE_SHEETS_CREDENTIALS_JSON and also GOOGLE_SERVICE_ACCOUNT_JSON — the latter looks like a typo compared to env_example.md which uses GOOGLE_SERVICE_ACCOUNT_KEY). This mismatch could cause confusion or failure to load credentials.
There is no platform install spec, but package.json exists and SKILL.md instructs users to run npm install. That will pull the googleapis package from npm (expected). The lack of an explicit install entry in the registry metadata means install will be manual; verify npm network retrieval and consider pinning/checking package integrity before running.
The skill legitimately needs Google service-account credentials, but the registry metadata lists no required env vars or primary credential while the SKILL.md and code expect credentials from multiple env vars or files. The code checks several on-disk locations (including ~/.config/google-sheets/credentials.json), which is reasonable but broad — the registry should have declared the credential requirement and the exact env names. Confirm which env var you will use and do not supply higher-privilege credentials than necessary.
The skill does not request always:true and does not appear to modify other skills or system-wide settings. It runs as a normal CLI and only uses the Google API client; autonomous invocation is the platform default but not a new privilege here.
Guidance
This skill appears to be a genuine Google Sheets CLI, but check a few things before installing: 1) Confirm which environment variable you will supply (the code and docs disagree slightly) and ensure you use a dedicated, least-privilege service account key (read-only scope for read tasks). 2) Don't place broad/owner credentials in project files or repos; keep the JSON key out of version control and prefer a limited-scope service account. 3) The package pulls googleapis from npm — run npm install in a controlled environment, verify package versions, and consider auditing node_modules or using integrity checks. 4) Because the CLI checks for credential files in the current directory and your home directory, be aware it may pick up any keys present there; remove or relocate keys you don't want the skill to access. 5) The code contains minor env-name inconsistencies (possible typo) — test credential loading locally before using in production. If you need higher assurance, run the CLI inside a restricted container or VM and review the full scripts/sheets-cli.js file yourself.
Latest Release
v1.0.3
- Improved documentation with detailed setup, install, and usage instructions for the Google Sheets CLI. - Clarified features: supports read/write, batch, formatting, and sheet management using service account authentication. - Added comprehensive credential loading order and input conventions. - Expanded command list for data operations, formatting, sheet management, and advanced batch updates. - Included security guidance and best practices for operational use.
More by @codedao12
Published by @codedao12 on ClawHub
