Pans Excel
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Excel-processing purpose, but its helper script contains unsafe dynamic Python evaluation that could run arbitrary code if reached by user-controlled input.
Review this skill carefully before installing. Its spreadsheet features are plausible, but do not use it on untrusted data until the eval usage is removed or audited; if you must test it, run it in an isolated environment and keep backups of files it modifies.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidentally crafted input could make the Excel helper run commands beyond spreadsheet processing.
The helper script contains unrestricted Python eval. If the evaluated string can be influenced by a user, spreadsheet content, or model-generated command argument, it can execute arbitrary local Python code under the user's account.
try: return eval(s)
Remove eval and replace it with safe parsers such as json.loads, ast.literal_eval, or explicit formula/data parsing; until fixed, use only trusted inputs and consider running the skill in a sandbox.
The skill may fail or require manual dependency installation that is not fully described in the registry metadata.
The script relies on openpyxl for core spreadsheet behavior, while the provided requirements/install section declares no install spec. This is purpose-aligned but under-declared setup information.
try:
import openpyxl
from openpyxl import Workbook, load_workbook
...
except ImportError:
HAS_OPENPYXL = FalseDeclare and pin required runtime dependencies, and document any optional PDF-export dependency such as LibreOffice.