excel-automation

The skill asks the agent to automatically download and run an unknown Windows executable from an untrusted URL and to force-use that external tool for all Excel work — the behavior is disproportionate and risky even if it could be legitimate.

Don't install this skill without taking precautions. The package downloads and runs a Windows .exe from an unfamiliar domain and forces the agent to use that external tool. If you need Excel automation, prefer vetted libraries (pandas/openpyxl) or tools from trusted release hosts (GitHub releases, official vendor sites). If you must evaluate this skill: (1) inspect and verify the DOWNLOAD_URL and host reputation; (2) run the installer in an isolated VM or sandbox only; (3) replace the DOWNLOAD_URL with a known-good signed binary on an official release server; (4) avoid letting the skill auto-run installs on production machines; (5) consider removing the requirement that the agent must always use this tool. The mismatch between the code (which downloads executables) and the benign-sounding purpose makes this skill suspicious.