A third party script (or any script) can do anything that the user has granted permissions to. I don't know your specific case, so it's not really possible to give you a totally definitive answer. But, I can definitely tell you that many third party scripts do have very broad access to user data, and could absolutely do something malicious. That's why Google is currently requiring developers to either greatly restrict what their app can do with user's data, or go through a verification process. The new restrictions haven't been fully implemented yet. It's important to be able to identify the developer, and decide whether you can trust them or not. When I developed my first add-on, I used very broad "scopes" (a setting for what the app has access to) because that's all there was available. Apps Script now has more restrictive scopes that can be used. This is an issue that most developers probably don't want to talk about, because they want people to trust them and use their app, and don't want to scare users away. I don't want users scared away either, so I don't like stating that third party apps with broad access to user data have the potential to do something malicious, but that's the truth. So, it's the responsibility of the app provider to give some assurance that they can be trusted. If you want to give specific information about the app, and the permissions that you authorized, then maybe someone could give an opinion about the level of trust that you can have.