achievement-qztc
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running it on the wrong spreadsheet could process or create documents containing student grade information.
The generator processes student IDs, names, and grade columns from a user-supplied Excel file. This is expected for the stated purpose, but it means the tool handles sensitive educational records locally.
required_cols = ['学号', '姓名', '平时成绩', '期中成绩', '期末成绩']
Use the skill only with intended course files and protect the generated DOCX outputs as student-record documents.
The skill will read and write local files when the user runs the documented commands.
The primary workflow runs local Python code to generate and review documents. This is disclosed and central to the skill's purpose, not hidden execution.
python3 achievement_generator.py --pipeline "C#程序设计-23级软工.xls"
Review the command, input file, template location, and output location before running the pipeline.
The tool may rely on whatever local Python packages are already installed, which can affect reproducibility or compatibility.
The skill lists third-party Python dependencies, while the registry/install information provides no install spec or pinned package versions. This is a setup/provenance gap, not evidence of malicious behavior.
import pandas as pd from docx import Document import zipfile from lxml import etree
Run it in a controlled Python environment and pin/install the expected dependencies before use.
A wrong or tampered template could produce inaccurate course achievement calculations.
The grading weights and target configuration are trusted from the local template document. This is disclosed and purpose-aligned, but a modified or incorrect template can change the generated analysis.
权重和目标配置均从模板表7动态读取
Use trusted, version-controlled templates and verify the template before generating official reports.
First use may create or depend on a local configuration file that controls which template directory is used.
The helper uses a local config.env file and can create it if missing. This persistent setup file is purpose-aligned for template configuration, but it is not declared as a required config path in the registry metadata.
CONFIG_FILE = os.path.join(SCRIPT_DIR, 'config.env')
Inspect config.env after creation and ensure TEMPLATE_DIR points to the intended trusted template folder.