ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

officecli-data-dashboard

v1.0.2

Use this skill when the user wants to create a data dashboard, analytics dashboard, KPI dashboard, or executive summary from CSV/tabular data in Excel format...

0· 56·0 current·0 all-time
by瓦砾@iceyliu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, and runtime commands all align: it builds a single .xlsx dashboard from CSV input using a CLI called officecli. Requesting a CLI to perform Excel operations is reasonable. However, the SKILL.md implicitly requires officecli to be present but the skill does not declare that requirement in metadata (no install spec) — the installer is only invoked via the instructions.
!
Instruction Scope
The SKILL.md instructs the agent to run local shell commands (officecli create/import/set/batch) which is expected for this purpose. The concerning part: the 'BEFORE YOU START' block instructs the agent to run curl to download an install.sh from raw.githubusercontent.com and immediately bash it (and to query the GitHub API). That directs network-download-and-execute behavior at runtime and gives the skill the ability to run arbitrary code on the host when invoked.
!
Install Mechanism
There is no formal install spec in the registry metadata, but the instructions embed a download-and-execute pattern (curl -fsSL https://raw.githubusercontent.com/.../install.sh && bash /tmp/officecli_install.sh). While GitHub raw is a common host, executing an unverified remote script without pinned versions, checksums, or signatures is higher-risk per the install-mechanism guidance.
Credentials
The skill does not request environment variables, credentials, or config paths. All commands operate on local files (CSV, .xlsx). There are no requests for unrelated secrets or cross-service credentials in the metadata or instructions.
Persistence & Privilege
The skill is not 'always: true' and does not request persistent system-wide privileges in metadata. The instructions do install a CLI when run, which will add binaries to the system, but the skill does not claim or request persistent elevated privileges or modify other skills' configs.
What to consider before installing
This skill appears to do what it says (build Excel dashboards), however the runbook tells the agent to download and execute an installer script from raw.githubusercontent.com every time officecli is missing or out-of-date. Before installing or running this skill: 1) Inspect the installer script (https://raw.githubusercontent.com/iOfficeAI/OfficeCli/main/install.sh) yourself — do not blindly run curl | bash. 2) Prefer a pinned release or checksum verification (the current check compares versions via the GitHub API but does not verify installer integrity). 3) If you cannot audit the installer, pre-install officecli manually from a trusted source or run the skill in a sandboxed environment. 4) Confirm the GitHub repository and publisher identity (iOfficeAI) and check for community reputation. These steps reduce the risk of executing unexpected code on your machine.

Like a lobster shell, security has layers — review code before you run it.

latestvk971xnssp1yvk2nf3b6ah4bzzx840rq5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments