Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Data Format Converter
v1.0.0Convert data efficiently between CSV, JSON, XML, YAML, and TOML formats including batch processing for CSV↔JSON, JSON↔YAML, XML↔JSON, and TOML↔JSON conversions.
⭐ 0· 570·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description promise CSV↔JSON (bidirectional), TOML↔JSON, and batch processing, but the actual implementation snippet only provides csv->json, json->yaml, yaml->json and xml->json. There is no json->csv, no TOML handling, and no batch-processing logic. The declared supported formats in SKILL.md and the JS snippet disagree. This mismatch could be benign (unfinished) or misleading.
Instruction Scope
SKILL.md itself contains only conversion instructions and trigger phrases and does not request files, credentials, or network access — that is good. However, the included skill.yaml contains a code snippet that calls parseYaml and parseXml which are not defined or referenced; the CSV parser is also a naive split-on-comma implementation that doesn't handle quoting/escaping. The instructions are scoped but incomplete, which may cause the agent to attempt to load external libraries or fallback to unsafe behavior when invoked.
Install Mechanism
This is an instruction-only skill with no install spec and no binaries required. There is nothing written to disk by an installer and no external download URLs — low install risk.
Credentials
No environment variables, credentials, or config paths are requested; requested privileges are proportional (none).
Persistence & Privilege
The skill is not marked always:true and makes no requests to change other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with other red flags here.
What to consider before installing
This skill appears to be unfinished or inconsistent rather than overtly malicious. Before installing or using it: 1) ask the publisher to confirm supported conversions (especially TOML and json->csv and batch operations) and to provide complete implementations for parseYaml/parseXml; 2) test with non-sensitive sample data to verify correctness (CSV quoting, nested JSON, XML edge cases); 3) prefer implementations from a known/verified source; and 4) if you need robust, production-grade conversions, use a well-maintained library or tool instead of this incomplete skill. If the author cannot explain the gaps, treat the skill as unreliable and avoid using it with sensitive data.Like a lobster shell, security has layers — review code before you run it.
convertervk972z4cnph9fmsxjcpgz8t9zw981mh29formatvk972z4cnph9fmsxjcpgz8t9zw981mh29latestvk972z4cnph9fmsxjcpgz8t9zw981mh29
License
MIT-0
Free to use, modify, and redistribute. No attribution required.