Security audit

资产负债表生成

Security checks across malware telemetry and agentic risk

Overview

This skill locally converts a user-provided financial Excel workbook into a balance-sheet workbook, with no evidence of network access, credential use, persistence, or destructive behavior.

Install only if you are comfortable letting the skill read financial Excel files in the workspace and create an output workbook there. To avoid mistakes, provide an explicit source file and output path when possible, and check whether `资产负债表.xlsx` already exists before running with the default output name.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The OpenClaw trigger phrase is extremely broad: a normal request like '生成资产负债表' can easily match during unrelated conversations once a spreadsheet is present in the workspace. Because the skill also states it will automatically read the latest file and generate output, an accidental invocation could process sensitive financial data without clear user confirmation.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill description says it will read the latest uploaded file automatically and write a generated workbook to the workspace root, but it does not warn users about this behavior. In a financial-reporting context, silent file selection and output creation can expose or overwrite sensitive accounting data, particularly in shared or cluttered workspaces.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal