Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes straightforward Excel operations (remove blanks, dedupe, sort, save). The code's main logic delegates to require('./excel-handler'), but that file is not included in the package. This means the implementation required to perform the stated work is missing — the package as distributed cannot actually do what it claims.
Instruction Scope
SKILL.md asks the agent to let the user pick a file, read/modify it, and 'save new file to desktop' — which implies filesystem read/write of user files. The code returns a success message '新文件已保存至桌面' without showing any file operations (those would be in the missing excel-handler). Because the actual file-handling code is absent, it's unclear what would run and what data would be written or transmitted.
Install Mechanism
There is no install spec and no external downloads; the skill is instruction/code-only. The only external require is '@clawhub/skill-sdk', which the code comments claim is provided by the platform. No third-party fetches or archive extraction are present in the repo.
Credentials
The skill declares no required environment variables and no config paths. The code uses a platform billing SDK (SkillPay) and assumes the platform injects the SkillPay API key; this is plausible for platform-hosted skills. There are no explicit requests for unrelated credentials, but the payment flow means users will be asked to complete a purchase via a generated payUrl — verify that URL comes from the platform.
Persistence & Privilege
The skill does not request always:true, does not declare persistent system-wide modifications, and does not ask to change other skills' configs. It follows the platform default that allows autonomous invocation, which by itself is not a new concern.
What to consider before installing
Do not install or pay for this skill yet. Key issues: (1) the core implementation (./excel-handler) is missing — the package cannot perform the Excel operations it advertises; (2) the code performs payment checks and will present a pay link — confirm the payUrl originates from the platform before paying; (3) SKILL.md intends to write a new file to your Desktop — ask for explicit details about where files will be saved and whether existing files may be overwritten; (4) request the missing excel-handler source or a complete package so you can review file I/O and any network calls the handler might make; (5) if you test it, use non-sensitive sample files and back up originals. If the publisher cannot provide the missing file or a trustworthy explanation, treat the skill as incomplete and avoid using it.Like a lobster shell, security has layers — review code before you run it.
latestvk972x9jnps1314vse27e51afr183mgt4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.