Abstract
Generating Google Apps Script (GAS) with Gemini CLI from natural language introduces security risks due to broad permissions. This report investigates a “Fake-Sandbox” using the gas-fakes library, translating GAS calls into granularly-scoped API requests to securely execute scripts created from user prompts.
Introduction
1. Background: Generative AI and the Challenge of Secure Script Execution
The emergence of Generative AI now makes it possible to generate executable scripts directly from natural language instructions, particularly through interfaces like the Gemini CLI. For locally executable languages such as JavaScript (Node.js) and Python, code generated from a simple prompt can be run directly. However, Google Apps Script (GAS) presents a unique challenge as it operates within Google’s server-side infrastructure. Executing locally generated GAS code requires the remote invocation of a server-side function via the scripts.run method of the Apps Script API. This process highlights the critical need for a sandbox environment to manage permissions effectively and mitigate the risks associated with executing code generated from natural language, which can sometimes produce unintended or insecure outcomes.
2. Existing Sandbox Strategies and Their Inherent Limitations
Implementing a sandbox—an isolated, secure environment for code execution—for Google Apps Script involves several potential strategies, each with significant drawbacks:
-
Dedicated Execution Accounts: A highly secure method involves creating a dedicated Google account solely for script execution. This approach effectively contains any potential impact within the confines of that account. However, the administrative overhead and cost associated with managing numerous accounts render this solution impractical for large-scale deployments.
-
Service Accounts: While service accounts are a standard for programmatic authentication within Google Cloud, they are not currently permitted to directly execute GAS functions through the Apps Script API, making this a non-viable option.
-
Permission Scoping with OAuth: A more promising strategy involves restricting permissions using OAuth scopes. The
https://www.googleapis.com/auth/drive.filescope is particularly appealing, as it limits an application’s access to only those files it creates or that a user explicitly opens with that application. This approach, however, introduces a fundamental trade-off. Core GAS services, such asSpreadsheetApp, often require broad scopes (e.g.,https://www.googleapis.com/auth/spreadsheets) that grant access to all of a user’s spreadsheets. This conflict between granular permissions and the requirements of high-level GAS services makes it difficult to adhere to the principle of least privilege. -
Execution Interception: In theory, a wrapper script could intercept the execution of a Google Apps Script to enforce restrictions on specific files and methods. By doing so, it would be possible to run the script in a more controlled manner. However, no such mechanism for intercepting and sandboxing GAS execution currently exists.
3. A Novel Approach: A Fake-Sandbox with gas-fakes
The Node.js package gas-fakes, developed by Bruce McPherson, offers a potential solution to this dilemma. This library functions as a local runtime environment for GAS, translating calls to standard GAS services (e.g., SpreadsheetApp.openById("###")) into their equivalent Google API requests (e.g., Google Sheets API). This abstraction allows developers to write scripts using familiar GAS syntax while the underlying operations are executed via Google APIs that support more granular permission controls.
This mechanism makes it possible to operate on a specific spreadsheet using standard GAS methods while restricting access to designated files and methods. This approach effectively decouples the developer experience from the underlying permission model, combining the security benefits of fine-grained permissions with the development efficiency of native GAS services. This capability suggests its potential as a “Fake-Sandbox” for executing code generated from natural language with tightly controlled access.
4. Objective of This Report
This report aims to examine the feasibility of constructing this Fake-Sandbox environment for Google Apps Script. We will investigate the use of the gas-fakes library as a means to safely execute scripts generated from natural language prompts using Gemini CLI by intercepting and managing their execution. While gas-fakes does not yet have comprehensive coverage of all GAS classes and methods, our preliminary findings suggest that this approach represents a promising pathway toward secure and scalable automation with Google Apps Script.
Conceptual Workflow
The following diagram illustrates the process of executing a Google Apps Script generated by the Gemini CLI within the fake-sandbox environment:
Practical Implementation
1. Install Gemini CLI
Instructions for installing the Gemini CLI can be found at https://github.com/google-gemini/gemini-cli.
Gemini CLI Configuration
To execute Google Apps Script within the fake-sandbox, you need to configure the Gemini CLI. Add the following text to the GEMINI.md file located in the .gemini directory:
# Generate and run Google Apps Script
Generate the script by referring to the sample scripts at "StackOverflow" obtained using a Google search. If an error occurs, modify the script by referring to StackOverflow again.
In order to run the script of Google Apps Script, use "@mcpher/gas-fakes". The base of the script is as follows: "BaseScript". Google Apps Script is safely run in the sandbox. As additional information, in the current stage, gas-fakes cannot use `Logger.log`. So, please use `console.log` instead of it.
<BaseScript>
```javascript
import "@mcpher/gas-fakes/main.js"
ScriptApp.__behavior.sandBoxMode = true;
//---
// Generated Google Apps Script
//---
ScriptApp.__behavior.trash();
```
</BaseScript>
Please replace the comment lines in "BaseScript" with the generated Google Apps Script. And, run the script by `node [filename.js]`.
The prompt Generate the script by referring to the sample scripts at "StackOverflow" obtained using a Google search. is included to guide Gemini towards generating code that uses current and effective methods.
2. Install gas-fakes
You can find instructions for installing gas-fakes at https://github.com/brucemcpherson/gas-fakes.
3. Example Use Cases
Run the Gemini CLI by entering $ gemini in your terminal.
Example 1: Create Spreadsheet and Populate with Values
Prompt:
Create the following application using Google Apps Script and run the script.
1. Create a new Google Spreadsheet as "temp spreadsheet".
2. Insert a new sheet as "temp" to the created Spreadsheet.
3. Put a value of `[["header1", "header2", "header3"], ["a2", "b2","c2"]]` into the "temp" sheet.
Result: The Gemini CLI will generate and execute a script that safely performs these actions within the fake-sandbox.
The generated script is as follows. The core logic within the createAndPopulateSpreadsheet function is also compatible with the standard Google Apps Script editor.
import "@mcpher/gas-fakes/main.js";
ScriptApp.__behavior.sandBoxMode = true;
//---
// Generated Google Apps Script
//---
function createAndPopulateSpreadsheet() {
// 1. Create a new Google Spreadsheet as "temp spreadsheet".
const ss = SpreadsheetApp.create("temp spreadsheet");
console.log(`Spreadsheet created: ${ss.getName()} (ID: ${ss.getId()})`);
// 2. Insert a new sheet as "temp" to the created Spreadsheet.
// Get the default sheet and rename it, or create a new one and delete the default.
// Let's create a new one and delete the default for clarity.
const tempSheet = ss.insertSheet("temp");
console.log(`Created new sheet: ${tempSheet.getName()}`);
// Delete the default "Sheet1" if it exists
const defaultSheet = ss.getSheetByName("Sheet1");
if (defaultSheet) {
ss.deleteSheet(defaultSheet);
console.log("Deleted default 'Sheet1'.");
}
// 3. Put a value of [["header1", "header2", "header3"], ["a2", "b2","c2"]] into the "temp" sheet.
const data = [
["header1", "header2", "header3"],
["a2", "b2", "c2"],
];
const range = tempSheet.getRange(1, 1, data.length, data[0].length);
range.setValues(data);
console.log("Values have been added to the 'temp' sheet.");
console.log(`URL: ${ss.getUrl()}`);
}
createAndPopulateSpreadsheet();
ScriptApp.__behavior.trash();
Example 2: Create Spreadsheet and Move to a Folder
Prompt:
Create the following application using Google Apps Script and run the script.
1. Create a new Google Spreadsheet as "temp spreadsheet".
2. Create a new folder of "tempFolder".
3. Move the Spreadsheet to the folder.
Result: The script is generated and executed securely, demonstrating file and folder manipulation.
The generated script can also be used in the Google Apps Script editor.
import "@mcpher/gas-fakes/main.js";
ScriptApp.__behavior.sandBoxMode = true;
//---
// Generated Google Apps Script
//---
function createSpreadsheetCreateFolderMoveFile() {
const spreadsheetName = "temp spreadsheet";
const folderName = "tempFolder";
// 1. Create a new folder
const newFolder = DriveApp.createFolder(folderName);
console.log(`Folder '${folderName}' created with ID: ${newFolder.getId()}`);
// 2. Create a new spreadsheet in the root (initially)
const newSpreadsheet = SpreadsheetApp.create(spreadsheetName);
console.log(
`Spreadsheet '${spreadsheetName}' created with ID: ${newSpreadsheet.getId()}`
);
// 3. Get the file object of the newly created spreadsheet
const file = DriveApp.getFileById(newSpreadsheet.getId());
// 4. Move the spreadsheet to the new folder
file.moveTo(newFolder);
console.log(
`Spreadsheet '${spreadsheetName}' moved to folder '${folderName}'.`
);
// Optional: Log URLs for verification
console.log(`New Folder URL: ${newFolder.getUrl()}`);
console.log(`New Spreadsheet URL: ${newSpreadsheet.getUrl()}`);
}
// Call the main function
createSpreadsheetCreateFolderMoveFile();
ScriptApp.__behavior.trash();
Example 3: Create, Populate, and Organize a Spreadsheet
Prompt:
Create the following application using Google Apps Script and run the script.
1. Create a new Google Spreadsheet as "temp spreadsheet".
2. Insert a new sheet as "temp" to the created Spreadsheet.
3. Put a value of `[["header1", "header2", "header3"], ["a2", "b2","c2"]]` into the "temp" sheet.
4. Freeze the 1st row and 1st column of the "temp" sheet.
5. Create a new folder of "tempFolder".
6. Move the Spreadsheet to the folder.
Result: This more complex workflow is also handled securely by the fake-sandbox.
The generated script is as follows:
import "@mcpher/gas-fakes/main.js";
ScriptApp.__behavior.sandBoxMode = true;
function main() {
try {
// 1. Create a new Google Spreadsheet as "temp spreadsheet".
const spreadsheetName = "temp spreadsheet";
const spreadsheet = SpreadsheetApp.create(spreadsheetName);
const spreadsheetId = spreadsheet.getId();
console.log(
`Created spreadsheet: ${spreadsheetName} (ID: ${spreadsheetId})`
);
// 2. Insert a new sheet as "temp" to the created Spreadsheet.
const newSheetName = "temp";
const sheet = spreadsheet.insertSheet(newSheetName);
console.log(`Inserted new sheet: ${newSheetName}`);
// Remove the default "Sheet1" if it exists and is empty
const defaultSheet = spreadsheet.getSheetByName("Sheet1");
if (defaultSheet) {
spreadsheet.deleteSheet(defaultSheet);
console.log("Deleted default 'Sheet1'.");
}
// 3. Put a value of `[["header1", "header2", "header3"], ["a2", "b2","c2"]]` into the "temp" sheet.
const data = [
["header1", "header2", "header3"],
["a2", "b2", "c2"],
];
sheet.getRange(1, 1, data.length, data[0].length).setValues(data);
console.log("Inserted values into the sheet.");
// 4. Freeze the 1st row and 1st column of the "temp" sheet.
sheet.setFrozenRows(1);
sheet.setFrozenColumns(1);
console.log("Frozen first row and first column.");
// 5. Create a new folder of "tempFolder".
const folderName = "tempFolder";
const folder = DriveApp.createFolder(folderName);
const folderId = folder.getId();
console.log(`Created new folder: ${folderName} (ID: ${folderId})`);
// 6. Move the Spreadsheet to the folder.
const file = DriveApp.getFileById(spreadsheetId);
file.moveTo(folder);
console.log(
`Moved spreadsheet '${spreadsheetName}' to folder '${folderName}'.`
);
} catch (e) {
console.error("An error occurred: " + e.toString());
}
}
main(); // Call the main function
ScriptApp.__behavior.trash();
Example 4: Create a Document and Add a Paragraph
Prompt:
Create the following application using Google Apps Script and run the script.
1. Create a new Google Document as "temp document".
2. Add a paragraph as a text of "sample".
Result: This example demonstrates that the fake-sandbox can also handle other Google Workspace applications like Google Docs.
The generated script is as follows:
import "@mcpher/gas-fakes/main.js";
ScriptApp.__behavior.sandBoxMode = true;
//---
// Generated Google Apps Script
//---
function createDocumentAndAddText() {
const docTitle = "temp document";
const textContent = "sample";
try {
const doc = DocumentApp.create(docTitle);
const body = doc.getBody();
body.appendParagraph(textContent);
console.log(
`Successfully created document: ${doc.getName()} (ID: ${doc.getId()})`
);
console.log(`Document URL: ${doc.getUrl()}`);
} catch (e) {
console.error(`Failed to create document: ${e.message}`);
}
}
// Call the function to execute the script
createDocumentAndAddText();
ScriptApp.__behavior.trash();
Summary
This feasibility study demonstrates a promising approach to securely executing Google Apps Script code generated by AI. The key takeaways are as follows:
- Addresses a Critical Security Gap: The “Fake-Sandbox” concept directly addresses the security risks of executing AI-generated GAS. By translating GAS calls into API requests, it becomes possible to restrict the script’s access to specific files and methods, a significant improvement over the broad permissions typically required by native GAS services.
- Leverages
gas-fakesfor Translation: Thegas-fakeslibrary is the core component of this approach, translating high-level GAS service calls into specific, permission-controlled Google API requests. - Maintains Developer Experience: Scripts can be written using familiar GAS syntax, decoupling the development process from the underlying security implementation.
- Enables Secure AI-Powered Automation: By integrating with the Gemini CLI, this method allows users to safely automate Google Workspace tasks using natural language prompts.
- Feasibility and Future Potential: While the
gas-fakeslibrary’s coverage is not yet exhaustive, this study confirms the viability of the fake-sandbox approach and highlights its potential for broader application as the library evolves.