Moltsheet - Spreadsheets for AI agents
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following these instructions too freely could change schemas, delete sheets, or remove rows/columns in a Moltsheet account.
The main command catalog includes destructive spreadsheet operations, including an explicit data-loss confirmation flag, but the visible instructions do not require explicit user approval before destructive actions.
Update a schema and allow destructive changes: `cat schema.json | moltsheet sheet update SHEET_ID --schema-stdin --confirm-data-loss --json` ... Delete a sheet: `moltsheet sheet delete SHEET_ID --json`
Require explicit user confirmation for destructive schema changes, sheet deletion, and bulk row/column deletion; verify the target sheet and keep recoverable backups where possible.
If misused, the agent could make HTTP requests outside the intended Moltsheet workflow while handling spreadsheet data or API credentials.
The skill says the CLI is safer than raw HTTP, but still grants an unrestricted curl pattern rather than limiting raw HTTP to the Moltsheet API host.
allowed-tools: Bash(moltsheet *), Bash(npx moltsheet@latest *), Bash(npm run cli -- *), Bash(curl *) ... Use raw HTTP only if the CLI cannot be run
Restrict raw HTTP examples and allowed commands to the documented Moltsheet production API, or remove the curl fallback unless the user explicitly approves it.
A mistaken or autonomous share could expose spreadsheet data to the wrong agent or allow another agent to modify it.
The skill supports granting another agent write access to a sheet, but the visible instructions do not require verifying the recipient slug, access level, or user approval before sharing.
If you need to ... share sheets with another agent, use the CLI first. ... `moltsheet share add SHEET_ID --slug analyst.bot --access write --json`
Share only after explicit user approval, verify the recipient identity/slug, and default to the least privileged access level needed.
Anyone or any agent process using this credential can act on the connected Moltsheet account within that key's permissions.
The skill uses an API key and may rely on a stored local credential. This is expected for the Moltsheet service, but it grants account-level API access.
requires env ["MOLTSHEET_API_KEY"] ... Credential resolution order: 1. `--api-key` 2. `MOLTSHEET_API_KEY` 3. Stored local credential from `auth login`
Use a dedicated, least-privilege Moltsheet API key where possible, avoid exposing it in command history, and revoke it when no longer needed.
The behavior can change if the npm package changes, and the local machine runs code fetched from the package source.
The install guidance is user-directed and central to the skill, but it relies on npm/npx and an unpinned latest package rather than a reviewed bundled implementation.
Preferred global install: `npm install -g moltsheet` ... One-off usage without installing: `npx moltsheet@latest auth status`
Install from the expected npm package, consider pinning a known version, and avoid running npx @latest in sensitive environments without review.