ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xlsx Pro

v1.0.1

Compétence pour manipuler les fichiers Excel (.xlsx, .xlsm, .csv, .tsv). Utiliser quand l'utilisateur veut : ouvrir, lire, éditer ou créer un fichier tableur ; ajouter des colonnes, calculer des formules, formater, créer des graphiques, nettoyer des données ; convertir entre formats tabulaires. Le livrable doit être un fichier tableur. NE PAS utiliser si le livrable est un document Word, HTML, script Python standalone, ou intégration Google Sheets.

0· 2k·4 current·4 all-time
by@ricobaboule
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, README, and the included Python/C helper code are coherent: the skill writes Excel files with formulas and optionally recalculates them via LibreOffice. The recalc.py, soffice helper, and README all serve that declared purpose.
!
Instruction Scope
Runtime instructions and scripts go beyond mere file creation: they create a LibreOffice macro file under user macro dirs (~/.config/libreoffice/... or macOS Library path), invoke soffice in headless mode, and may invoke gcc to build a socket shim. These steps modify user configuration and launch external binaries; they should be considered side-effects and require user consent. The SKILL.md explicitly instructs installing system packages and running the recalc script which will write into the user's LibreOffice macro directory.
Install Mechanism
There is no remote download/install spec (no network fetches). However the soffice helper writes C source to the temp directory and attempts to compile it with gcc into an LD_PRELOAD .so shim. Compiling and LD_PRELOADing native code at runtime is uncommon for simple data-manipulation skills and increases risk surface (local compilation/execution), though it is used here to work around sandboxed AF_UNIX socket issues rather than fetching remote binaries.
Credentials
The skill does not request credentials or environment variables in metadata. It does set SAL_USE_VCLPLUGIN=svp in the subprocess env for soffice runs (documented) and uses LD_PRELOAD only for the soffice subprocess. No API keys or unrelated secrets are requested.
!
Persistence & Privilege
The recalc flow writes a LibreOffice macro XML into the user's LibreOffice macro directory and writes/keeps a compiled shim in the temp directory. Those files persist on disk beyond a single run and alter another application's (LibreOffice) configuration. While this is functional for the stated recalculation goal, it is a form of persistence impacting user-level configuration and should be treated with caution.
What to consider before installing
This skill appears to do what it says (create/edit XLSX and optionally recalc via LibreOffice), but it performs operations with real side effects: it writes a LibreOffice macro into your user profile and may compile an LD_PRELOAD .so shim in /tmp. Before installing or running: 1) Inspect the files yourself (scripts/recalc.py, scripts/office/soffice.py and the shim C source in the repo) to verify you accept the actions. The macro content is visible in the repo (RecalculateAndSave), but writing macros modifies your LibreOffice profile. 2) Run the tool on copies of your files and not on irreplaceable data; back up templates. 3) If you are uncomfortable with compiling/running native code or installing LibreOffice macros on your account, run the skill inside an isolated environment or container. 4) Confirm you trust the unknown source/owner (no homepage provided). 5) If you approve usage but want minimal impact, consider editing recalc.py to skip macro installation and instead manually perform the LibreOffice recalculation in a controlled manner. If you want a safer install, request the author to provide an opt-in path that does not auto-write macros or compile LD_PRELOAD code.

Like a lobster shell, security has layers — review code before you run it.

excelvk974kks4735tjxk8tteddf7ah580cyrvlatestvk974kks4735tjxk8tteddf7ah580cyrvlibreofficevk974kks4735tjxk8tteddf7ah580cyrvopenpyxlvk974kks4735tjxk8tteddf7ah580cyrvpandasvk974kks4735tjxk8tteddf7ah580cyrvxlsxvk974kks4735tjxk8tteddf7ah580cyrv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments