Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dgn To Excel
v2.0.0Convert DGN files (v7-v8) to Excel databases. Extract elements, levels, and properties from infrastructure CAD files.
⭐ 0· 1.1k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to convert DGN files to Excel and the instructions call a CLI named 'DgnExporter.exe' via subprocess.run. However, the registry metadata declares no required binaries, no install spec, and there is no homepage or source for the executable. The runtime therefore relies on a third-party binary of unknown provenance (and appears Windows-centric) which is inconsistent with the declared requirements.
Instruction Scope
SKILL.md stays within the conversion scope (read DGN, run converter, write .xlsx, parse results). It explicitly instructs using subprocess.run to invoke the CLI and requires filesystem access — both reasonable for this task. The instructions also assert 'No Bentley license required' but give no guidance on obtaining/validating DgnExporter.exe; that missing guidance increases risk because the agent (or operator) may run an untrusted executable.
Install Mechanism
There is no install spec (instruction-only), which reduces direct install-time risk from the skill itself. However, because the workflow depends on an external executable, the absence of any recommended source, checksum, or official distribution channel is a gap: a user will need to obtain and run a binary from an unspecified origin, which can be dangerous if untrusted.
Credentials
The skill requests no environment variables or credentials and only requires filesystem permission (declared in claw.json). That level of access is proportionate for reading DGN files and writing Excel outputs.
Persistence & Privilege
always:false and default invocation settings are used. The skill does not request elevated or persistent platform privileges and does not attempt to modify other skills or global agent configuration.
What to consider before installing
Before installing or running this skill, verify the origin and integrity of the DgnExporter.exe executable it depends on. Specifically: 1) Ask the publisher for a homepage or official distribution link, digital signature, and checksums; 2) Prefer an open-source or vendor-provided converter with a verifiable release (GitHub release, vendor site, signed installer); 3) If you must use an unknown binary, run it in an isolated VM or sandbox and scan it with up-to-date antivirus/endpoint tools; 4) Test the skill with non-sensitive sample DGN files first; 5) Avoid running the converter on systems holding sensitive data until you confirm the binary’s provenance; 6) If possible, request source code or a reproducible build so you can audit/verify behavior (particularly any network access). The skill itself is coherent in purpose but the missing, unsigned external dependency is the main risk.Like a lobster shell, security has layers — review code before you run it.
latestvk9784zs5qpg394rchdw9zfsv8h812zwp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.