Sheetsmith
PassAudited by ClawScan on May 10, 2026.
Overview
Sheetsmith is a coherent local spreadsheet utility, with the main cautions that it evaluates user-supplied pandas expressions and can write or overwrite selected files.
This skill appears safe for normal local CSV/Excel work. Before installing, be aware that it can evaluate pandas expressions and write files, including overwriting the original when --inplace is used. Prefer saving to a new output file and only run expressions you understand.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user or agent runs a bad or untrusted expression, the spreadsheet output could be wrong or unexpectedly modified.
Transform expressions supplied on the command line are dynamically evaluated by pandas; this is central to the skill's stated purpose, but untrusted expressions could cause unintended computation or data changes.
df.eval(expr, inplace=True, engine="python")
Review expressions before running them, prefer simple arithmetic/column formulas, and do not copy formulas from untrusted files or messages without checking them.
A mistaken path or --inplace use could overwrite a spreadsheet the user meant to preserve.
The skill intentionally supports reading user-selected paths and overwriting the source file when explicitly requested; this is disclosed and purpose-aligned, but users should notice the mutation capability.
reference it via a full path ... pass `--inplace` to overwrite the source file
Use --output to create a new file by default, keep a raw backup, and reserve --inplace for cases where overwriting is clearly intended.
If enabled, details about handled datasets may persist beyond the immediate task.
The README describes optional persistent memory logging of dataset activity; no code forces this behavior, but users should understand it could retain dataset names or workflow details.
If you want me to keep a log of every dataset I touched, I can update `memory` entries as part of the workflow.
Only request memory logging for non-sensitive workflows, and specify exactly what should or should not be remembered.