Since rules can contain java code, the security risk is actually greater than malicious data. A user can easily insert java code of his choice to access your system.
You can use drools verifier and write your own rules but it will not be possible to eliminate every risk.
Using a third party to verify the rules might work but the person who will do the verifying will need to be a programmer to correctly asses the risk, this will counteract the advantages of using spreadsheets in the first place.
In my opinion, spreadsheets are overrated:
- There is the inherent security risk you mentioned
- It is very easy for a non-technical person to modify rule action parts and have a broken XLS file
- Defining and using lookup tables is a pain.
I would recommend that, once your project becomes stable, ditch the spreadsheets and implement your own user interfaces for decision tables, or embed guvnor into your web application if you use one.