Pans Excel
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: pans-excel Version: 1.2.0 The skill bundle is classified as suspicious due to a critical Remote Code Execution (RCE) vulnerability in `scripts/excel.py`. The functions `load_data` and `ld` use `eval()` to parse the data argument (`-d/--data`) for several commands, allowing for the execution of arbitrary Python code. While the bundle's stated purpose of Excel processing and reporting appears legitimate and the `SKILL.md` instructions do not contain obvious prompt injections or malicious intent, the use of `eval()` on unsanitized input is a high-risk security flaw.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or accidentally crafted input could make the Excel helper run commands beyond spreadsheet processing.
The helper script contains unrestricted Python eval. If the evaluated string can be influenced by a user, spreadsheet content, or model-generated command argument, it can execute arbitrary local Python code under the user's account.
try: return eval(s)
Remove eval and replace it with safe parsers such as json.loads, ast.literal_eval, or explicit formula/data parsing; until fixed, use only trusted inputs and consider running the skill in a sandbox.
The skill may fail or require manual dependency installation that is not fully described in the registry metadata.
The script relies on openpyxl for core spreadsheet behavior, while the provided requirements/install section declares no install spec. This is purpose-aligned but under-declared setup information.
try:
import openpyxl
from openpyxl import Workbook, load_workbook
...
except ImportError:
HAS_OPENPYXL = FalseDeclare and pin required runtime dependencies, and document any optional PDF-export dependency such as LibreOffice.