google-sheets
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Metadata Poisoning] (MEDIUM): There is a deceptive discrepancy between the skill's metadata files. The README.md explicitly states the skill is for 'Read-only access', but the SKILL.md instructions for the AI agent describe and provide commands for 'Full read/write access', including updating cells, appending rows, and clearing ranges. This misleads users about the skill's potential impact on their data.
- [Indirect Prompt Injection] (LOW): The skill is a conduit for untrusted data from an external source (Google Sheets) into the agent's context.
- Ingestion points: Spreadsheet data is ingested via get-text and get-range commands in scripts/sheets.py.
- Boundary markers: None identified in SKILL.md. No specific instructions are provided to the agent to treat spreadsheet content as untrusted data.
- Capability inventory: The agent can write to spreadsheets (update-range, append-rows) and delete data (clear-range), which could be triggered by instructions found within a read spreadsheet.
- Sanitization: No sanitization or verification of spreadsheet content is documented.
- [Unverifiable Dependencies] (MEDIUM): The documentation mentions that 'Tokens automatically refresh... using Google's cloud function.' This implies a dependency on an undocumented external service for credential management rather than a standard local OAuth refresh flow.
- [Information] (SAFE): The core implementation files (scripts/sheets.py and scripts/auth.py) were not provided for analysis; the assessment is based on documentation and configuration files.
Audit Metadata