Back to skill
Skillv1.0.2
ClawScan security
广告数据分析 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 6:13 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are coherent with its advertised purpose (local ad-report analysis and chart generation) and do not request credentials, network access, or unexpected system privileges.
- Guidance
- This skill appears to do only local analysis and charting. Before running: (1) review the included scripts/analyze.py yourself (it is small and readable); (2) install the listed Python packages from trusted sources (pip) if needed; (3) run it locally on your machine (python3 analyze.py --file /path/to/report.xlsx --out ./charts) — the script writes PNGs to the output folder and prints reports to stdout; (4) avoid processing files containing sensitive secrets you don't want stored locally (the script will read the spreadsheet contents and save charts locally); (5) note that Excel macros are not executed by this script, but you should still avoid opening untrusted files in other applications. Overall, the skill is internally consistent and does not request network access or credentials.
Review Dimensions
- Purpose & Capability
- okName/description (广告数据分析) match the included script and SKILL.md: the script loads Excel/CSV, auto-detects columns, computes summaries, detects anomalies, generates PNG charts and prints suggestions. Required binaries (python3) and the declared Python packages are appropriate for the stated functionality.
- Instruction Scope
- okSKILL.md instructs the user to save and run scripts/analyze.py locally and the script's operations are limited to reading the provided file, computing analyses, and saving charts to the specified output directory. The instructions do not ask to read unrelated system files, environment variables, or to transmit data externally. The SKILL.md explicitly states data is processed locally, which aligns with the code.
- Install Mechanism
- okThere is no install spec (instruction-only), which minimizes risk. The SKILL.md metadata lists pip dependencies (pandas, openpyxl, xlrd, matplotlib, seaborn) — these are appropriate for Excel/CSV parsing and plotting; the user must install them locally. No downloads from untrusted URLs or archive extraction are present.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The script does not access os.environ or other secrets; its file I/O is limited to the provided report and the specified output directory.
- Persistence & Privilege
- okThe skill does not request permanent presence (always:false) and does not modify other skills or system-wide configuration. It runs as a local script when invoked and writes outputs only to the provided output directory.