google-sheets-automation
Warn
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill documentation mentions that OAuth tokens are refreshed using a 'cloud function'. Standard Google OAuth implementations refresh tokens directly via Google's official endpoints (e.g., oauth2.googleapis.com). Using an unspecified intermediary cloud function to manage or refresh refresh-tokens is a significant security risk as it allows the function operator to potentially intercept and exfiltrate user credentials.
- [COMMAND_EXECUTION]: The skill requires the execution of local Python scripts (
scripts/auth.py,scripts/sheets.py) for authentication and data operations. These scripts are not provided in the analyzed context, and their internal behavior cannot be verified, representing a risk if the scripts contain malicious logic. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its data processing surface:
- Ingestion points: The skill reads external data from Google Sheets through commands like
get-text,get-range, andfindin thescripts/sheets.pyutility. - Boundary markers: No boundary markers, delimiters, or 'ignore instructions' warnings are documented to prevent the agent from obeying instructions embedded within the spreadsheet data.
- Capability inventory: The skill possesses significant capabilities, including full read/write access to spreadsheets and command-line execution of scripts.
- Sanitization: There is no mention of sanitization, validation, or filtering of the content retrieved from external spreadsheets before it is passed to the AI agent.
Audit Metadata