csvglow

PassAudited by ClawScan on May 1, 2026.

Overview

csvglow appears to be a coherent dashboard-generation skill, with the main things to notice being that it relies on an external csvglow binary and processes local spreadsheet data into HTML.

This skill looks appropriate for creating dashboards from CSV or Excel files. Before installing, make sure the `csvglow` binary comes from a trusted source, avoid using sensitive spreadsheets unless you are comfortable with their contents appearing in a generated HTML file, and use `--no-open` or a controlled output path when needed.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

You need to trust the separately installed `csvglow` program, because this package only tells the agent how to call it.

Why it was flagged

The skill delegates its real behavior to an external `csvglow` binary that is not included or installed by the provided artifacts.

Skill content

Required binaries (all must exist): csvglow ... No install spec — this is an instruction-only skill.

Recommendation

Install `csvglow` only from a trusted source and review the upstream project or package manager source before using it on private data.

Info

#ASI02: Tool Misuse and Exploitation

What this means

Using the skill can create local HTML files and open them automatically, potentially displaying data from the selected spreadsheet.

Why it was flagged

The documented CLI reads a local file, writes an HTML output file, and opens a browser by default; these are expected for this dashboard-generation purpose.

Skill content

csvglow <file>                       # Generate dashboard and open in browser
csvglow data.csv -o dashboard.html   # Custom output path
csvglow data.csv --no-open           # Don't auto-open browser

Recommendation

Use it only on files you intend to visualize, specify an output path when needed, and use `--no-open` if you do not want the browser to open automatically.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

If you choose to run MCP mode, other agent tooling may be able to request dashboard generation depending on how the server is configured.

Why it was flagged

The artifacts mention an optional MCP server mode, which could expose the tool through an agent/tool interface, but no server configuration or automatic startup is included.

Skill content

Also available as an MCP server: `csvglow --mcp`

Recommendation

Only enable MCP mode intentionally, and ensure any MCP configuration limits which agents can call it and which local files they may access.