Sheetsmith
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill Suspicious High-Entropy/Eval files: 1 The OpenClaw Sheetsmith skill is designed for pandas-powered CSV and Excel file management. The core script `scripts/sheetsmith.py` uses standard pandas functions like `df.query()` and `df.eval()` for data manipulation, which are designed to operate within a safe, restricted context, preventing arbitrary code execution. File operations are limited to reading specified input files and writing output files to user-defined paths. The `SKILL.md` and `README.md` files provide clear instructions for the AI agent on how to use the tool and share its processed output (e.g., via Telegram or WhatsApp), which is a legitimate function of an agent and not an attempt at unauthorized data exfiltration. There is no evidence of intentional harmful behavior, obfuscation, or malicious execution beyond the stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user or agent runs a bad or untrusted expression, the spreadsheet output could be wrong or unexpectedly modified.
Transform expressions supplied on the command line are dynamically evaluated by pandas; this is central to the skill's stated purpose, but untrusted expressions could cause unintended computation or data changes.
df.eval(expr, inplace=True, engine="python")
Review expressions before running them, prefer simple arithmetic/column formulas, and do not copy formulas from untrusted files or messages without checking them.
A mistaken path or --inplace use could overwrite a spreadsheet the user meant to preserve.
The skill intentionally supports reading user-selected paths and overwriting the source file when explicitly requested; this is disclosed and purpose-aligned, but users should notice the mutation capability.
reference it via a full path ... pass `--inplace` to overwrite the source file
Use --output to create a new file by default, keep a raw backup, and reserve --inplace for cases where overwriting is clearly intended.
If enabled, details about handled datasets may persist beyond the immediate task.
The README describes optional persistent memory logging of dataset activity; no code forces this behavior, but users should understand it could retain dataset names or workflow details.
If you want me to keep a log of every dataset I touched, I can update `memory` entries as part of the workflow.
Only request memory logging for non-sensitive workflows, and specify exactly what should or should not be remembered.