csvglow
Security checks across static analysis, malware telemetry, and agentic risk
Overview
csvglow appears to be a coherent dashboard-generation skill, with the main things to notice being that it relies on an external csvglow binary and processes local spreadsheet data into HTML.
This skill looks appropriate for creating dashboards from CSV or Excel files. Before installing, make sure the `csvglow` binary comes from a trusted source, avoid using sensitive spreadsheets unless you are comfortable with their contents appearing in a generated HTML file, and use `--no-open` or a controlled output path when needed.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You need to trust the separately installed `csvglow` program, because this package only tells the agent how to call it.
The skill delegates its real behavior to an external `csvglow` binary that is not included or installed by the provided artifacts.
Required binaries (all must exist): csvglow ... No install spec — this is an instruction-only skill.
Install `csvglow` only from a trusted source and review the upstream project or package manager source before using it on private data.
Using the skill can create local HTML files and open them automatically, potentially displaying data from the selected spreadsheet.
The documented CLI reads a local file, writes an HTML output file, and opens a browser by default; these are expected for this dashboard-generation purpose.
csvglow <file> # Generate dashboard and open in browser csvglow data.csv -o dashboard.html # Custom output path csvglow data.csv --no-open # Don't auto-open browser
Use it only on files you intend to visualize, specify an output path when needed, and use `--no-open` if you do not want the browser to open automatically.
If you choose to run MCP mode, other agent tooling may be able to request dashboard generation depending on how the server is configured.
The artifacts mention an optional MCP server mode, which could expose the tool through an agent/tool interface, but no server configuration or automatic startup is included.
Also available as an MCP server: `csvglow --mcp`
Only enable MCP mode intentionally, and ensure any MCP configuration limits which agents can call it and which local files they may access.