Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
officecli-financial-model
v1.0.2Use this skill when the user wants to build a financial model, 3-statement model, DCF valuation, cap table, scenario analysis, or financial projections in Ex...
⭐ 0· 54·0 current·0 all-time
by瓦砾@iceyliu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and detailed build steps align with creating formula-driven, multi-sheet financial models. The instructions consistently use an external CLI (officecli) for batch operations, which explains the dependency on that tool. Minor mismatch: the registry entry declares no install spec, yet the SKILL.md requires installing an external binary at runtime.
Instruction Scope
SKILL.md instructs the agent to run shell/PowerShell commands that will fetch and execute a remote install script (curl raw.githubusercontent.com ... | bash and a PowerShell irm alternative). That action downloads and runs code from the network without checksum or signature verification. Other than that, the instructions stay within modeling scope (creating sheets, formulas, validations) and do not request unrelated files, environmental secrets, or data exfiltration.
Install Mechanism
There is no declared install spec, but the runtime instructions direct fetching and executing an installer from a GitHub raw URL (raw.githubusercontent.com) and use the GitHub releases API to check versions. While GitHub is a common host, executing an arbitrary install.sh from a remote repo without integrity checks or pinned release artifacts is high-risk. The script would run with user privileges and could install persistent binaries.
Credentials
The skill requires no credentials, no config paths, and no special environment variables. The SKILL.md references only transient env values (e.g., $env:TEMP, /tmp) and local workbook paths, which are reasonable for an Excel-building tool. No secret exfiltration or unrelated credential access is requested.
Persistence & Privilege
Metadata does not request always-on or elevated privileges. However, the instructions encourage installing a persistent external CLI (officecli) on the host; installing that binary gives the skill (or an operator) the ability to run that tool later. If you allow the install, you are granting persistent executable presence on the system, increasing blast radius if the binary is malicious or compromised.
What to consider before installing
This skill otherwise looks coherent for its stated purpose, but before installing or running it consider: 1) Do NOT blindly run the curl | bash or PowerShell irm -> install.ps1 commands. Inspect the repository and the install.sh script yourself (or link to a signed release). 2) Prefer installing officecli via a vetted package (official package manager or a GitHub release asset with checksum/signature) and verify hashes. 3) If you must try this skill, run the installation in an isolated environment (VM/container) or on a non-sensitive machine first. 4) Ask the publisher for an install manifest, signed release, or to include a proper install spec in the registry so you can review what will be written/executed. 5) If you cannot verify the install script, decline installation — the modeling instructions themselves are useful but rely on an external binary that must be trusted.Like a lobster shell, security has layers — review code before you run it.
latestvk974p2jhayx3md51wtpe17ejcx8411mt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.