Bim Qto
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: bim-qto Version: 2.1.0 The skill is designed for BIM quantity takeoff, processing data from and exporting reports to Excel files. The declared 'filesystem' permission in `claw.json` is justified by the use of `pandas.read_excel` and `to_excel` methods in `SKILL.md`. The Python code does not contain any direct malicious constructs like `os.system`, `subprocess`, network calls for exfiltration, or obfuscation. Neither `SKILL.md` nor `instructions.md` contain prompt injection attempts or instructions for the AI agent to perform unauthorized actions. While a lack of input sanitization by the OpenClaw agent for file paths could lead to a path traversal vulnerability, the skill's code itself does not exhibit malicious intent, only legitimate file operations.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If given broad or incorrect paths, the skill could read the wrong project data or write reports somewhere unintended.
The skill requests filesystem permission, which is expected for processing user-supplied BIM/CAD files and exporting reports, but it still means the agent can interact with local files.
"permissions": [
"filesystem"
]Provide explicit input file paths and confirm export destinations before allowing report generation.
If those libraries are not already installed, the user or agent may need to install them separately, which introduces normal dependency-provenance considerations.
The documented implementation relies on third-party Python libraries, while the provided requirements only declare python3 and there is no install spec.
import pandas as pd import numpy as np
Use a trusted Python environment and install any needed libraries such as pandas and numpy from trusted, preferably pinned sources.