ClawHub

Macro Helper

Security checks across malware telemetry and agentic risk

Overview

This is mostly a local Excel/VBA template helper, but users should review generated macros before running them and note that one included utility script writes local history/data files.

This skill appears acceptable for VBA assistance. Before installing, be aware that generated VBA can modify workbooks or interact with Outlook if you copy and run it, so test on copies and review any email/file-operation code carefully. Also note that the extra generic utility script can store local command history under a macro-helper data directory.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

A user who runs generated VBA without review could change spreadsheet contents or send/share workbook data through Outlook.

Why it was flagged

The template library includes VBA examples that can delete rows, modify cells, and prepare an Outlook email with the current workbook attached. These are visible templates and are aligned with macro automation, but they can have real effects if copied and run.

Skill content
If WorksheetFunction.CountA(ws.Rows(i)) = 0 Then
            ws.Rows(i).Delete ... .Attachments.Add ThisWorkbook.FullName
        .Display  ' Use .Send to send directly
Recommendation

Review and test generated VBA on a copy of the workbook before running it on important files; keep email examples on .Display unless you intentionally want to send.

#
ASI06: Memory and Context Poisoning
Low
What this means

Task descriptions or other arguments passed to this utility may remain in local history/data files until manually deleted.

Why it was flagged

The extra utility script creates persistent local storage and logs command arguments. This is local-only in the provided artifact, but it is not described in SKILL.md and could retain user-provided task text.

Skill content
DATA_DIR="${MACRO_HELPER_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/macro-helper}"
DB="$DATA_DIR/data.log"
mkdir -p "$DATA_DIR"
_log() { echo "$(date '+%m-%d %H:%M') $1: $2" >> "$DATA_DIR/history.log"; }
Recommendation

Avoid passing sensitive spreadsheet details to the generic utility commands, or clear the macro-helper data directory if you do not want local retention.

#
ASI05: Unexpected Code Execution
Info
What this means

Installing or invoking the skill may cause the agent to run the reviewed local bash script to generate VBA guidance.

Why it was flagged

The documented workflow uses a local shell script. The included macro.sh appears to print guidance/templates rather than perform hidden system changes, so this is expected for the skill but still worth noticing.

Skill content
Run: `bash scripts/macro.sh <command> [task_description]`
Recommendation

Run the local script only from the installed skill directory and review script changes when updating the skill.