ClawHub

Excel Xlsx Formula Cleanup Helper

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Excel workbook repair guidance skill with no executable payload or hidden data flow, though its trigger wording is broader than ideal.

Install this only if you want an agent to help inspect and repair Excel workbooks. For sensitive financial or business spreadsheets, use copies, review any proposed changes before replacing originals, and be aware that the publisher should narrow the trigger wording to reduce accidental invocation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger sentences are extremely broad, malformed, and likely to activate on generic Excel-related requests rather than a narrowly scoped task. In an agent environment, ambiguous activation boundaries can cause unintended invocation of this skill on unrelated workbook operations, increasing the chance of unsafe file handling, overreach, or interference with other safer/more appropriate skills.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger phrases are broad, unnatural, and partially generic, which increases the chance that unrelated user requests mentioning Excel, formulas, or workflows could invoke the skill unintentionally. In an automation context that may lead an agent to operate on spreadsheets, macros, or workbook structures without the user explicitly choosing this skill, creating avoidable risk around integrity-sensitive files.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description defines activation using a very broad set of Excel-related topics and expansive phrasing like practical help around formulas, Power Query, and implementation support. This can cause the agent to invoke the skill in situations outside its safe or intended scope, increasing the chance of inappropriate automation on user-provided workbooks, including sensitive or macro-enabled files.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The listed trigger keywords are generic terms like microsoft excel, xlsx, formula, power query, vba, and pivot table, with no scoping constraints. In an agentic environment, such broad triggers can cause accidental invocation on benign or unrelated Excel conversations, potentially leading the system to inspect or modify files, preserve macros, or suggest risky workbook operations without sufficient user intent confirmation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill enables implicit invocation while advertising a broad set of Excel repair and cleanup capabilities, which increases the chance it will be auto-selected for common workbook-support requests without an explicit user opt-in. Because the skill is described as inspecting and fixing workbooks while preserving formulas, VBA, Power Query, pivots, and business logic, unintended invocation could expose sensitive spreadsheet contents or trigger high-impact file modifications in contexts where a narrower or safer tool should have been used.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger sentences are malformed and overly broad, which can cause the skill to activate in contexts far beyond the intended Excel/XLSX troubleshooting domain. In an agent system, ambiguous activation increases the chance of inappropriate tool or skill selection, potentially exposing user files or causing unintended workbook-modifying actions on unrelated requests.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal