ask-data
PassAudited by ClawScan on May 11, 2026.
Overview
This skill appears to match its stated purpose: it reads a user-approved local Excel file and answers data questions, with no evidence of network exfiltration, credential use, or file modification.
This looks safe for its intended use. Before installing, confirm you are comfortable letting the agent read the chosen Excel file, avoid unnecessary sensitive data, and verify that the local Python/pandas environment is available.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The selected spreadsheet will be opened and processed locally; malformed or unquoted paths could cause errors or unexpected command behavior.
The skill asks the agent to run local Python commands using a user-supplied file path and query JSON. This is central to the skill and confirmation-gated, but paths and JSON should be passed safely rather than treated as shell text.
python scripts/read_excel.py <文件路径> ... python scripts/query_data.py <文件路径> <sheet名> '<查询JSON>'
Only approve files you intend to analyze, and ensure the agent treats file paths as literal arguments, preferably quoted or passed without shell interpolation.
Sample rows or query results may reveal sensitive business or personal data in the conversation.
The reader script returns sample spreadsheet rows, and the query script returns result rows and insights. This is expected for a data Q&A skill, but it means selected spreadsheet data becomes part of the agent's working context.
"sample_data": df.head(5).to_dict(orient='records')
Use only spreadsheets you are comfortable sharing with the agent session, and avoid files containing unnecessary sensitive columns.
The skill may fail or require local Python/pandas support that is not declared in the registry metadata.
The registry metadata does not declare runtime dependencies, while the included workflow relies on Python scripts and the source imports pandas. This is an under-declared setup requirement rather than evidence of malicious behavior.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Verify the included scripts and required Python packages before use, especially in managed or restricted environments.