ClawHub

officecli-financial-model

WarnAudited by ClawScan on May 10, 2026.

Overview

The skill’s Excel financial-model purpose is coherent, but it tells the agent to automatically download and run an unpinned GitHub installer or updater before use.

Review this skill before installing. Its financial-model instructions look normal, but do not let it automatically run the GitHub installer or updater unless you trust and have verified OfficeCli. Prefer installing a pinned version yourself and then using the skill only to generate the requested workbook.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing or updating the tool could run code that is outside the reviewed skill artifacts and may change the local system.

Why it was flagged

The skill downloads an installer from a mutable GitHub branch and executes it, while the registry says there is no install spec or reviewed code package.

Skill content
curl -fsSL https://raw.githubusercontent.com/iOfficeAI/OfficeCli/main/install.sh -o /tmp/officecli_install.sh && bash /tmp/officecli_install.sh
Recommendation

Do not auto-run the installer. Use a pinned, verified OfficeCli release or package-manager install, and require explicit user approval before installation or upgrade.

High
#ASI05: Unexpected Code Execution
What this means

The agent may execute external installation code before creating the spreadsheet, not just generate the requested Excel file.

Why it was flagged

The instruction frames shell or PowerShell execution as a mandatory step before every use, including automatic install or upgrade when officecli is missing or outdated.

Skill content
**Every time before using officecli, run this check:** ... bash /tmp/officecli_install.sh ... Windows: irm ... officecli_install.ps1
Recommendation

Require the user to install officecli separately, or ask for explicit confirmation before any installer or updater command is run.

Low
#ASI02: Tool Misuse and Exploitation
What this means

The skill will write and modify a local Excel file selected by the workflow.

Why it was flagged

The skill uses officecli commands to create and modify a local workbook, which is expected for producing the requested .xlsx output.

Skill content
officecli create model.xlsx ... officecli add model.xlsx / --type sheet ... officecli remove model.xlsx /Sheet1
Recommendation

Use a clear output filename/location and review the workbook before sharing or relying on it.