ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Data Analysis

v1.0.0

Automates CSV/Excel data cleaning, statistical analysis, trend detection, anomaly identification, visualization, and report generation.

0· 3.4k·20 current·21 all-time
byZhangYang@arthasking123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The manifest and SKILL.md advertise CSV/Excel/JSON support, chart generation, trend and anomaly detection, and PDF/HTML export. The shipped main.py only reads CSV via pandas, writes a Markdown summary, and performs simple cleaning with CSV/JSON output. Excel reading, visualization libraries, anomaly/trend algorithms, and export-to-PDF/HTML are not implemented. package.json implies an npm-style package but the runtime is Python — and required runtime deps (python3, pandas, possibly openpyxl/matplotlib) are not declared in the registry metadata. These mismatches are disproportionate to the stated purpose.
!
Instruction Scope
SKILL.md shows usage examples for analyzing .xlsx files, generating charts, and producing reports, but the runtime instructions embedded in main.py only accept CSV files and provide markdown/CSV/JSON outputs. The instructions therefore overpromise functionality the code doesn't provide. There are no instructions to access unrelated files, env vars, or remote endpoints; however the advertised runtime behavior in SKILL.md is inconsistent with the actual code.
Install Mechanism
No install spec is provided (instruction-only style), so nothing external is downloaded or written during install. That reduces install-time risk. However, a missing declaration of required runtime dependencies (python and pandas, and likely Excel/visualization packages) is an operational gap — not a network/installer risk, but it is an inconsistency to surface to users.
Credentials
The skill requests no environment variables, credentials, or config paths. The code also does not access secrets or external services. This is proportionate to the implemented behavior (local file processing).
Persistence & Privilege
The skill does not request always: true, does not modify other skills or system settings, and writes outputs only under an 'output' directory relative to the script. There is no evidence of elevated persistence or privilege escalation.
What to consider before installing
This skill overpromises features that are not present in the included code. Before installing or using it: (1) Ask the publisher to reconcile SKILL.md and package.json with the actual implementation and to publish a homepage/source. (2) Require a clear dependency list (python3, pandas, and if Excel support is needed: openpyxl/xlrd; for charts: matplotlib/plotly; for PDF/HTML: reportlab or wkhtmltopdf) or provide an install spec. (3) Confirm whether .xlsx, visualization, anomaly detection, and export features are implemented — if not, treat the SKILL.md examples as inaccurate. (4) Run the package in an isolated environment (non-sensitive test data, sandbox/VM) to verify behavior and inspect the output directory. (5) If you need the advertised advanced features, prefer a skill whose code and manifest explicitly include those implementations and dependencies, or request changes from the author. These inconsistencies are likely sloppy engineering but should be resolved before trusting the skill with real data.

Like a lobster shell, security has layers — review code before you run it.

latestvk971wmcpe4zbsav4ya20a0z0ns81hptv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments