ClawHub

Excel 数据自动清洗引擎 Pro

Security checks across malware telemetry and agentic risk

Overview

This spreadsheet-cleaning skill fits its purpose, but it can process sensitive business or personal data and includes under-scoped external lookup/export behavior.

Install only if you are comfortable letting the agent process spreadsheet files you explicitly provide. Keep backups of originals, review generated cleaned files and reports, and do not allow web_search or Feishu export for customer, financial, ID, phone, address, or other sensitive data unless you approve the exact fields and destination first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger phrases are broad enough to match routine requests like '处理 Excel' or '去重', which can cause the skill to activate in contexts where the user did not explicitly consent to this workflow. Because the skill can read files, execute Python, write output files, and potentially use networked features, overbroad activation increases the chance of unintended file handling or data processing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that it will save cleaned files and reports to disk, but it does not clearly warn users up front that new files will be written. This can lead to unexpected persistence of potentially sensitive business data, accidental overwrites, or creation of derivative files in locations the user did not anticipate.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill advertises `web_search` for data validation and Feishu export, but does not warn that user data may be transmitted to external services. In a data-cleaning context, files may contain personal, financial, or operational information, so silent external transmission creates significant privacy, compliance, and confidentiality risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal