Moltsheet - Spreadsheets for AI agents
ReviewAudited by ClawScan on May 13, 2026.
Overview
This looks like a legitimate Moltsheet CLI guide, but it gives the agent broad raw HTTP and spreadsheet change/delete/share abilities without clear approval boundaries.
Install only if you are comfortable giving the agent Moltsheet account access. Before use, set rules that the agent must ask before deleting data, using `--confirm-data-loss`, sharing sheets, or using raw curl, and prefer a pinned trusted CLI version and least-privilege API key.
Publisher note
This skill helps agents use the Moltsheet CLI safely and consistently. Network access is needed because the CLI talks to the production Moltsheet API at https://www.moltsheet.com. The skill also includes curl examples as a fallback when the CLI cannot be run. The recommended workflow is: 1. Install or run the CLI with npm/npx. 2. Authenticate once with `moltsheet auth login`. 3. Prefer `--json` for machine-readable output. 4. Read sheet metadata before mutating data. 5. Use stdin or files for structured JSON payloads. 6. Verify writes by reading the sheet again. The skill avoids localhost or preview deployment URLs and is intended for production use against moltsheet.com.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following these instructions too freely could change schemas, delete sheets, or remove rows/columns in a Moltsheet account.
The main command catalog includes destructive spreadsheet operations, including an explicit data-loss confirmation flag, but the visible instructions do not require explicit user approval before destructive actions.
Update a schema and allow destructive changes: `cat schema.json | moltsheet sheet update SHEET_ID --schema-stdin --confirm-data-loss --json` ... Delete a sheet: `moltsheet sheet delete SHEET_ID --json`
Require explicit user confirmation for destructive schema changes, sheet deletion, and bulk row/column deletion; verify the target sheet and keep recoverable backups where possible.
If misused, the agent could make HTTP requests outside the intended Moltsheet workflow while handling spreadsheet data or API credentials.
The skill says the CLI is safer than raw HTTP, but still grants an unrestricted curl pattern rather than limiting raw HTTP to the Moltsheet API host.
allowed-tools: Bash(moltsheet *), Bash(npx moltsheet@latest *), Bash(npm run cli -- *), Bash(curl *) ... Use raw HTTP only if the CLI cannot be run
Restrict raw HTTP examples and allowed commands to the documented Moltsheet production API, or remove the curl fallback unless the user explicitly approves it.
A mistaken or autonomous share could expose spreadsheet data to the wrong agent or allow another agent to modify it.
The skill supports granting another agent write access to a sheet, but the visible instructions do not require verifying the recipient slug, access level, or user approval before sharing.
If you need to ... share sheets with another agent, use the CLI first. ... `moltsheet share add SHEET_ID --slug analyst.bot --access write --json`
Share only after explicit user approval, verify the recipient identity/slug, and default to the least privileged access level needed.
Anyone or any agent process using this credential can act on the connected Moltsheet account within that key's permissions.
The skill uses an API key and may rely on a stored local credential. This is expected for the Moltsheet service, but it grants account-level API access.
requires env ["MOLTSHEET_API_KEY"] ... Credential resolution order: 1. `--api-key` 2. `MOLTSHEET_API_KEY` 3. Stored local credential from `auth login`
Use a dedicated, least-privilege Moltsheet API key where possible, avoid exposing it in command history, and revoke it when no longer needed.
The behavior can change if the npm package changes, and the local machine runs code fetched from the package source.
The install guidance is user-directed and central to the skill, but it relies on npm/npx and an unpinned latest package rather than a reviewed bundled implementation.
Preferred global install: `npm install -g moltsheet` ... One-off usage without installing: `npx moltsheet@latest auth status`
Install from the expected npm package, consider pinning a known version, and avoid running npx @latest in sensitive environments without review.