Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
数据分析技能包
v1.0.0数据分析技能包 - 自动抓取、清洗、可视化、生成报告。适合数据分析师、运营人员,告别 Excel 手工操作。
⭐ 0· 681·7 current·7 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (data fetch, clean, visualize, report) matches the included scripts (data-fetch.js, data-clean.js, data-viz.js, report-generate.js). However the SKILL.md/README use inconsistent command names and paths (e.g., '/data-fetch', '/data-api', '/data-report' and references to 'data-report.js' or 'data-report'), while the code files include 'report-generate.js'. The SKILL.md file structure references package.json, install.bat, run.bat, config.json and example files, but those files are not present in the provided manifest — this mismatch suggests the package is incomplete or incorrectly packaged.
Instruction Scope
Runtime instructions tell users to 'npm install' and run commands, but the SKILL.md examples use non-existent or inconsistent command names (leading slash /data-fetch) and reference files that are missing. The README and config examples encourage putting Authorization Bearer tokens into config headers (config.json) — storing credentials in plaintext config files is insecure and is not declared as required env vars. The report generator (report-generate.js) requires child_process.execSync (present in code) which later likely runs external conversion tools (PDF/HTML/markdown converters) — executing external binaries based on config or input increases risk if the invoked commands or arguments are not strictly controlled.
Install Mechanism
There is no explicit install spec in the registry entry (no download/install script provided). SKILL.md instructs 'npm install', implying a package.json is required — but package.json is referenced in SKILL.md structure yet is not present in the file manifest. That mismatch prevents a straightforward install and suggests the published bundle is incomplete or incorrectly assembled.
Credentials
The skill declares no required environment variables, but its configuration examples and scripts accept Authorization headers and suggest placing tokens in config.json. Asking users to store API tokens in repository config files (not declared or protected) is disproportionate and risky. The scripts accept arbitrary --headers JSON and will use them in HTTP requests; combined with write-to-disk behavior this could expose secrets if mishandled. Also, execSync usage in report generation can cause environment-dependent side effects if external tools are invoked.
Persistence & Privilege
The skill does not request persistent always:true privileges and does not appear to modify other skills or system-wide agent settings. It writes outputs to a local 'output' directory within the skill and creates that directory if missing (normal). The main privilege concern is runtime: execSync may run system binaries during report generation, so run-time execution context matters — but autonomy flags are default/normal.
What to consider before installing
This package appears to implement the advertised data-analysis functions, but the bundle is inconsistent and incomplete — do not run it blindly. Before installing or executing: 1) Request the missing files (package.json, install/run scripts, config.json) or a corrected manifest; 2) Inspect package.json for postinstall scripts that run arbitrary code; 3) Review the full report-generate.js content to see exactly what execSync commands are executed (PDF/HTML converters or arbitrary shell calls); 4) Avoid placing API tokens in plain config files — prefer environment variables or a secure secrets store; 5) Run the code in an isolated sandbox/container and with non-sensitive test data first; 6) If you need to proceed on a production system, ask the author for a reproducible build (complete package.json) and a minimal reproducible example, and run npm audit and static analysis. If the author cannot provide missing files or explain the execSync usage, consider not installing this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97a66780e8fe7w9vxp5nvdwfd825y51
License
MIT-0
Free to use, modify, and redistribute. No attribution required.