ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Excel Batch Processor

v1.0.0

Automate batch Excel tasks including merging, splitting, format conversion, data cleaning, deduplication, and bulk formula filling with wildcard support.

0· 108·2 current·2 all-time
by@bingze00000
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md describe Excel merging/splitting/cleaning which coherently maps to the declared dependencies (openpyxl, pandas) in _meta.json. Functionality requested (wildcards, CSV conversion, large-file optimizations) is consistent with a tool that would use those libraries.
Instruction Scope
SKILL.md is an instruction-only document (Chinese), showing example command formats for merge/split/convert/clean/fill and references only local files and output directories. It does not instruct reading unrelated system files or sending data to external endpoints. However the instructions are high-level and vague (no concrete runtime program to invoke), which gives an agent broad discretion about how to achieve tasks.
!
Install Mechanism
_meta.json lists requirements (openpyxl, pandas) but there is no install specification and no code files. That mismatch is concerning: it's unclear who installs or supplies the runtime. The agent or user may end up needing to install third-party packages manually or the agent might attempt to pip-install them at runtime — the provenance of any code the agent would execute is unspecified. No homepage or source repo is provided to verify the publisher or package integrity.
Credentials
The skill requests no environment variables, credentials, or config paths. For a local file-processing tool, the absence of secret/credential requests is appropriate.
Persistence & Privilege
Skill is instruction-only, no install actions are declared, always:false, and it does not request elevated or persistent platform privileges. Nothing in the package requests autonomous persistence beyond normal agent invocation.
What to consider before installing
This skill appears to do what it says (Excel batch operations) but there are two practical risks: (1) provenance — there's no homepage/source repo or install spec, so you can't verify the author or code; (2) missing install instructions — the metadata lists Python libraries but doesn't say how/when they'll be installed, so an agent or you may need to install them manually or the agent could attempt to run pip installs. Before installing or using: 1) ask the publisher for a source repository or packaged installer and concrete runtime instructions; 2) prefer running any tooling locally on copies of your files (not originals) and in an isolated environment (virtualenv or container); 3) if the agent offers to auto-install packages, inspect the exact commands it will run; 4) avoid processing sensitive data until you can verify the code; and 5) consider requesting a sample of the actual implementation (script or binary) to review or run in a sandbox.

Like a lobster shell, security has layers — review code before you run it.

latestvk970qnkzkrcx3aycwet91b5ne983skfv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments