Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MiniMax XLSX Pro
v1.0.0MiniMax spreadsheet production system. Engage for any task that involves tabular data, numeric analysis, or spreadsheet generation. Supports XLSX/XLSM/CSV th...
⭐ 0· 152·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (build xlsx deliverables, recalc formulas, validate structure, create pivots/charts) aligns with the provided code and docs: openpyxl/pandas usage and a recalculation step via LibreOffice are reasonable. However, the SKILL.md repeatedly references a native CLI binary at ./scripts/MiniMaxXlsx for many validation/pivot/chart operations but that binary is not present in the file manifest — a functional gap/incoherence. Either the binary is expected to be provided externally at runtime (not declared) or the skill is incomplete.
Instruction Scope
The runtime instructions instruct creating and writing a LibreOffice macro into the user's macro folder (~/.config/libreoffice/... or macOS Library path) via scripts/recalc.py. That modifies a persistent user configuration area and can overwrite existing macros. The SKILL.md does not declare or warn about modifying user config paths. The docs also mandate automatic chart creation and always-inserted cover sheets which may produce artifacts the user didn't explicitly request.
Install Mechanism
There is no external install spec (instruction-only), which lowers risk. But the skill assumes external tooling: 'soffice' (LibreOffice) and a local binary ./scripts/MiniMaxXlsx. soffice is a reasonable dependency for formula recalculation, but the missing CLI binary is an incoherence. No remote downloads are requested by the skill, which is good, but the scripts will invoke local commands whose presence is assumed.
Credentials
The skill declares no required environment variables or credentials, yet it writes to user home config paths and executes system binaries (soffice, timeout/gtimeout). Writing to the LibreOffice macro directory is persistent filesystem access not disclosed in the metadata. The lack of declared config path requirements is disproportionate to that behavior.
Persistence & Privilege
Although always:false, the skill's recalc.py will create or overwrite a macro file in the user's LibreOffice macro directory, producing a persistent change to the user's environment. That is a privileged side-effect (modifies user application config) and should be explicitly disclosed and permissioned; it currently is not.
What to consider before installing
Key things to check before installing or running this skill: 1) The skill expects a native CLI at ./scripts/MiniMaxXlsx but that binary is not included — ask the publisher where it comes from and request source or a vetted release. 2) scripts/recalc.py will write a LibreOffice macro into your home LibreOffice config (~/.config/libreoffice/... or macOS Library path). That can overwrite existing macros and gives the skill a persistent ability to run LibreOffice scripting on files — only allow this if you trust the skill and have backups. 3) The script invokes system binaries (soffice, timeout/gtimeout); ensure these are present and that running them in your environment is acceptable. 4) If you plan to use on sensitive data, run the skill in a sandboxed environment or inspect/approve the macro code (Module1.xba) and the CLI binary before allowing writes. 5) Ask the maintainer for the missing CLI, a description of why the macro must be written, and an explicit opt-in to modify user config; if they can't provide that, treat the skill as unsafe for production data.Like a lobster shell, security has layers — review code before you run it.
latestvk9713568yeqz0547wx1pw5h3hd83wv1a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.