Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
lhx111
v1.0.0Comprehensive spreadsheet creation, editing, and analysis with support for formulas, formatting, data analysis, and visualization. When Claude needs to work...
⭐ 0· 94·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Skill name/description (spreadsheet creation, editing, recalculation) aligns with included code (recalc.py) and instructions (openpyxl/pandas). However SKILL.md explicitly requires LibreOffice for recalculation while the skill metadata lists no required binaries or dependencies — an inconsistency. Declared purpose reasonably justifies running LibreOffice and openpyxl/pandas, but the manifest should declare these prerequisites.
Instruction Scope
Runtime instructions tell the agent to run recalc.py which will configure LibreOffice and execute soffice to recalculate formulas. The script writes a macro file into the user's LibreOffice macro directory (~/.config/... or ~/Library/...), then invokes LibreOffice headless. Writing application macros/config is a non-trivial side effect beyond simply opening a workbook and may persist after the skill runs.
Install Mechanism
There is no install specification (instruction-only + one helper script), so nothing is downloaded at install time. That lowers supply-chain risk. However, dependencies (pandas, openpyxl, LibreOffice binary 'soffice') are assumed but not declared in metadata, which is an operational/integrity gap.
Credentials
The skill requires no environment variables or credentials (which is appropriate). But it requires write access to the user's LibreOffice macro/config directory to install a macro, which is a broader file-system privilege than simply reading/writing an individual workbook. This change isn't justified in the manifest and could be surprising to users.
Persistence & Privilege
The recalc script creates/modifies a macro file in the user's LibreOffice config (persisting beyond the immediate task). While the macro is simple and intended to recalc/save, any skill that writes persistent macros or config should be treated with caution because macros can later be invoked by other documents or processes.
What to consider before installing
Before installing or running this skill: (1) understand that it expects LibreOffice ('soffice') and Python packages (openpyxl, pandas) though they are not declared — ensure those are installed or ask the author to list them; (2) the included recalc.py will write a LibreOffice macro file into your user config (path differs on macOS vs Linux). Back up your LibreOffice profile or review the macro content (Module1.xba) before running; if you prefer not to allow persistent changes, run the script in an isolated VM/container or modify recalc.py to avoid writing macros and instead use a transient recalculation approach; (3) review the script for any modifications you don't expect — here the macro simply calls calculateAll()/store()/close(), which is consistent with recalc intent, but any persistent macro install increases risk; (4) ask the publisher to update manifest metadata to declare required binaries/dependencies and to make macro installation optional or explicit in the install step. If you cannot verify these items, treat the skill as suspicious and run it only in a sandbox.Like a lobster shell, security has layers — review code before you run it.
latestvk97bvyc2hyr4s1k7e5fgmpvcc583477g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.