Agent Sheet
PassAudited by ClawScan on May 1, 2026.
Overview
Agent Sheet is a coherent spreadsheet CLI skill with disclosed workbook read/write and scripting powers; no hidden exfiltration or deceptive behavior is shown, but users should install and use it deliberately.
Install this only if you intend to let the agent inspect and modify local spreadsheets. Keep workbook targets explicit, review broad writes or sheet lifecycle actions before running them, verify output files and changed ranges, and consider pinning the npm package instead of relying on `agent-sheet@latest`.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on the wrong workbook, sheet, or range, it could change or delete spreadsheet data.
The skill is explicitly designed to mutate spreadsheets, including structural sheet changes. This is purpose-aligned and paired with bounded-command and verification guidance, but users should recognize it can alter workbook contents.
Use this for workbook mutations: sparse patches, bounded replacements, review tables, formula propagation, and sheet lifecycle changes.
Use explicit entry IDs and ranges, inspect before broad writes, and verify the changed workbook region after every mutation.
A script fallback can make workbook changes that are more powerful than ordinary cell-write commands.
The skill documents a JavaScript execution fallback. The same artifact limits it to workbook-local, scoped use with no network, filesystem, shell, or process side effects, so this is disclosed and purpose-aligned rather than suspicious.
Use `script js` when workbook-native API logic is the clearest bounded path, or when built-in `agent-sheet` commands cannot express the requested workbook change cleanly.
Only use `script js` when built-in commands are insufficient, state the touched sheets and ranges first, and verify the result afterward.
A later package version could behave differently from the reviewed documentation and helper scripts.
The required CLI is installed from an unpinned external Node package. This is expected for the skill's purpose, but `@latest` means future installs may receive different code than the reviewed artifacts describe.
node | package: agent-sheet@latest | creates binaries: agent-sheet
Prefer a pinned package version or verify the package provenance before installing in sensitive environments.