Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (processing Excel table-structure files) aligns with the large bundled libraries (openpyxl for Excel manipulation, pypinyin for Chinese pinyin handling) and data files describing headers and styles. However SKILL.md describes the skill as "instruction-only" (no install spec), which contradicts the presence of ~235 code files (scripts/lib/* and scripts/process_table.py). Bundling these libraries is plausible for this purpose, but the metadata/instruction mismatch is an inconsistency to be aware of.
Instruction Scope
The SKILL.md instructions are narrowly scoped: read the newest or specified .xlsx from /workspace/user_input_files/ and write a _processed.xlsx to /workspace/skills_output/. The described transformations (delete first row, insert columns F~N headers, styling, preserve A~E) are consistent with what openpyxl can perform. Instructions do not request other system files, credentials, or external endpoints.
Install Mechanism
No install spec is declared (reduces download risk), but the skill package already includes full third-party libraries (openpyxl 3.1.5, et_xmlfile, pypinyin) and a main script (scripts/process_table.py). Bundling is not inherently malicious but increases the code surface that will run locally; the package does not fetch code from the network during install according to provided metadata.
Credentials
The skill does not request any environment variables, credentials, or config paths. The declared inputs/outputs are only workspace paths, which is proportionate to Excel processing.
Persistence & Privilege
The skill is not always-enabled and allows user invocation. There is no indication it modifies other skills or system-wide settings. It writes outputs into /workspace/skills_output/ which is expected for its function.
What to consider before installing
This skill appears to do what it claims (Excel table-structure processing) and includes legitimate libraries (openpyxl, pypinyin). However: 1) the SKILL.md calls it "instruction-only" but the package contains ~235 code files — ask the author why code is bundled and request a source/homepage or repository for review. 2) Before using, review scripts/process_table.py (the main script) for any unexpected behaviors (network calls, reading paths outside /workspace/user_input_files/, or writing outside /workspace/skills_output/). 3) Test the skill first with non-sensitive sample files to confirm outputs and ensure no external communication happens. 4) If you must run it on sensitive data, consider running it in a restricted environment (isolated workspace, limited filesystem permissions) or request the upstream source so you or your security team can audit the code. Providing the author’s repository, digital signatures, or hashes for the bundled libraries would raise confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk9722ryzrbw7h3qq756m01ctkh83n3c0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.