ClawHub

Create an Excel (.xlsx) file containing formatted data.

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Excel file generator, with the main caution that it may automatically install its spreadsheet library if it is missing.

Install only if you are comfortable with a skill that can install openpyxl automatically the first time it runs. Use it for data you intend to place in an Excel file, and confirm the output filename/path before generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        print(f"⚠️ 正在自动安装缺少的核心库: {package_name} ...")
        try:
            subprocess.check_call([sys.executable, "-m", "pip", "install", package_name])
            print(f"✅ {package_name} 安装成功!")
        except Exception as e:
            print(f"❌ 安装失败: {e}")
Confidence
98% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", package_name])

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
Automatic dependency installation adds capabilities beyond the stated purpose of creating Excel files, including subprocess execution and potential network access. In an agent skill context, this is dangerous because a seemingly simple document-generation tool can modify the environment, fetch external code, and create non-deterministic behavior that operators may not expect.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger keywords are broad and generic enough that the skill may activate for loosely related requests such as reports, exports, or tables without strong confirmation that spreadsheet generation is actually intended. In an agent setting, overly permissive activation can cause incorrect tool selection, unintended file generation, and increased exposure to downstream risks if user-provided content is automatically processed into files.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal