ClawHub

Excel AI Analyzer

Security checks across malware telemetry and agentic risk

Overview

Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.

This skill looks safe for its stated purpose, but only run it on Excel files you are comfortable having analyzed in the agent session. Be aware that chart-generation claims appear unimplemented in the provided code. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

If the spreadsheet contains sensitive personal, financial, or business data, parts of it may appear in the analysis result or report.

Why it was flagged

The skill reads a user-supplied local workbook path and returns sample rows. This is purpose-aligned for Excel analysis, but it means selected file contents can enter the agent output.

Skill content
const workbook = XLSX.readFile(filePath); ... sample: data.slice(0, 5)
Recommendation

Use it only on files you intend to analyze, avoid arbitrary sensitive paths, and review generated reports before sharing them.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Installation may depend on npm package resolution and the configured package registry or mirror.

Why it was flagged

The skill relies on an external npm package for Excel parsing. The lockfile includes integrity data, and this dependency is expected for the purpose, but users should be aware of the external package source.

Skill content
"node_modules/xlsx": { "version": "0.18.5", "resolved": "https://registry.npmmirror.com/xlsx/-/xlsx-0.18.5.tgz", "integrity": "sha512-..." }
Recommendation

Install from trusted registries where possible and keep the lockfile/dependency provenance intact.

#
ASI09: Human-Agent Trust Exploitation
Info
What this means

Users may expect charts or richer visualization features that are not implemented in the reviewed code.

Why it was flagged

The documentation advertises visualization/chart generation, but the provided package and runtime code only show xlsx-based parsing and Markdown report generation.

Skill content
- 📈 **统计分析** ... - 可视化图表 ... ## 依赖 ... chartjs-node-canvas (图表生成)
Recommendation

Treat chart-generation claims as unverified unless a future version adds the dependency and implementation.