ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Finance Report Analyzer

Analyze financial data from uploaded Excel/PDF files and generate interactive reports with sparkline trend charts. Supports output to PDF, DOCX, Markdown, an...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.4k · 7 current installs · 8 all-time installs
byNick Qiu@qiujiahong
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to ingest uploaded Excel/PDF and deliver reports (expected). However SKILL.md explicitly instructs the agent to read channels.feishu.appId/appSecret from openclaw.json to obtain Feishu tokens. The registry metadata declares no required env vars or config paths, so asking to read openclaw.json is out-of-band and not justified by the declared requirements.
!
Instruction Scope
Most instructions (parsing Excel, generating HTML, converting to PDF/DOCX, sending via Feishu API) fit the stated purpose. But SKILL.md tells the agent to: (1) extract app credentials from openclaw.json (an agent config file outside the skill's declared scope), (2) use unspecified external tools 'feishu_doc/feishu_bitable' and arbitrary 'web_search' calls. Directing the agent to read agent configuration for credentials and to use tools not declared grants it access beyond what the description indicates.
Install Mechanism
There is no install spec (instruction-only), which lowers risk. The included script self-installs Python dependency openpyxl at runtime via os.system('pip install ...') if missing; the script will also call external converters (wkhtmltopdf/chromium/pandoc) via subprocess when converting outputs. Self-installing pip packages at runtime is a moderate risk and should be reviewed, but the sources are standard PyPI usage rather than an arbitrary download URL.
!
Credentials
The skill declares no required credentials but expects Feishu app_id/app_secret stored in openclaw.json (sensitive). Asking the agent to read an agent config file that likely contains credentials for other skills or services is disproportionate. The skill also references uploading files via Feishu API and thus implicitly requires Feishu credentials — those should be declared explicitly, not pulled from an undeclared config path.
Persistence & Privilege
always:false and no install hooks are present. The skill does not request permanent presence or set always:true, and there is no evidence it modifies other skill configs or system-wide settings. Autonomous invocation is allowed by default but not by itself a concern here.
What to consider before installing
This skill appears to do what it says (generate reports) but ask for additional access that isn't declared. Before installing or running it: (1) inspect scripts/generate_report.py fully to confirm it makes only expected network calls and subprocess invocations; (2) do NOT allow the skill to read your openclaw.json or other agent config containing credentials — instead provide a purpose-specific Feishu app_id/app_secret or a temporary token if you need Feishu integration; (3) be aware the script will attempt to pip-install openpyxl at runtime and will call external converters (wkhtmltopdf, pandoc, chromium) if you request PDF/DOCX output — install those tools from trusted sources beforehand; (4) if you do not use Feishu, remove or disable the Feishu-related download/upload steps. If you want higher assurance, ask the author to (a) declare required env vars/config paths in the skill metadata, (b) avoid reading global agent config, and (c) avoid runtime pip installs or document them clearly.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.2.0
Download zip
latestvk97d1sdmnb1vnfya7nsnhppyex82hc4x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Finance Report Analyzer

Generate financial analysis reports from uploaded Excel/PDF files with inline SVG sparkline trend charts and multi-format output.

Quick Start

python3 scripts/generate_report.py input.xlsx -o pdf --company "公司名" --ticker "000001.SZ"

Output Formats

-o flag controls output. HTML is always generated as the base; other formats convert from HTML.

FlagOutputRequires
-o htmlHTML only(built-in)
-o pdfHTML + PDF (default)wkhtmltopdf or chromium
-o docHTML + DOCXpandoc
-o mdHTML + Markdownpandoc or markdownify

Workflow

Step 1: Acquire Data File

Try in order:

  1. Feishu chat file attachment — Download via API:

    # Get token
TOKEN=$(curl -s -X POST 'https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal' \
  -H 'Content-Type: application/json' \
  -d '{"app_id":"APP_ID","app_secret":"APP_SECRET"}' | python3 -c "import json,sys; print(json.load(sys.stdin)['tenant_access_token'])")
# Get file_key from message
curl -s "https://open.feishu.cn/open-apis/im/v1/messages/{message_id}" -H "Authorization: Bearer $TOKEN"
# Download
curl -s "https://open.feishu.cn/open-apis/im/v1/messages/{message_id}/resources/{file_key}?type=file" \
  -H "Authorization: Bearer $TOKEN" -o /tmp/data.xlsx

    Get app credentials: read channels.feishu.appId/appSecret from openclaw.json.

  2. Feishu Doc/Bitable link — Use feishu_doc/feishu_bitable tools

  3. Local file — Use directly

  4. Pasted text — Parse and save as xlsx

Step 2: Generate Report

python3 scripts/generate_report.py /tmp/data.xlsx -o pdf \
  --company "百济神州-U" --ticker "688235.SH" --output-dir /tmp/reports

Step 3: Web Search Enhancement (Optional)

Search for industry benchmarks:

web_search("{company} 行业对比 市场份额 {year}")

Step 4: Deliver File via Feishu API

The message tool may send paths as text. Use direct Feishu API to send real file messages:

# 1. Upload file to get file_key
UPLOAD=$(curl -s -X POST 'https://open.feishu.cn/open-apis/im/v1/files' \
  -H "Authorization: Bearer $TOKEN" \
  -F 'file_type=stream' \
  -F "file_name=report.html" \
  -F "file=@/path/to/report.html")
FILE_KEY=$(echo "$UPLOAD" | python3 -c "import json,sys; print(json.load(sys.stdin)['data']['file_key'])")

# 2. Send file message to chat
curl -s -X POST 'https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=chat_id' \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d "{\"receive_id\":\"CHAT_ID\",\"msg_type\":\"file\",\"content\":\"{\\\"file_key\\\":\\\"$FILE_KEY\\\"}\"}"

Report Features

  • Sparkline trend charts: Each metric row has an inline SVG showing the trend (solid=actual, dashed=forecast)
  • Forecast markers: Predicted values marked with ⟡ symbol and yellow background
  • Color coding: Green=positive, Red=negative
  • Responsive: Works on mobile and desktop
  • Print-ready: CSS print styles included

Metric Definitions

See references/metrics.md for financial metric calculations.

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…