ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

csv-profile-stepper

v1.0.0

读取 CSV 并输出字段类型、空值率、唯一值计数。

0· 57·0 current·0 all-time
by@askjda
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description promise CSV profiling (field types, null rates, unique counts). The shipped main.py does not implement any profiling logic — it only reads input file length and returns metadata, and exposes many unrelated CLI flags (--url, --endpoint, --payload, etc.). This is a clear mismatch between claimed purpose and actual capability.
!
Instruction Scope
SKILL.md instructs only local CSV processing and shows running python main.py --input <csv> --output profile.json. However main.py supports outbound network actions (fetching a URL or POSTing a payload to an endpoint) via undocumented flags. The README's claim '只处理当前命令输入指定的数据,不做额外隐式操作' is contradicted by the code's ability to contact remote hosts.
Install Mechanism
No install spec; single Python file included. No packages or downloads are performed by an installer, so there is low install-time risk. Risk comes from runtime behavior, not installation.
!
Credentials
The skill declares no required environment variables or credentials, which would be expected for a simple CSV profiler. However the script can send file contents or arbitrary payloads to external endpoints and fetch remote URLs if given --endpoint/--payload or --url. That capability lets data be exfiltrated if a user or agent provides endpoints/URLs — disproportionate to the stated purpose and not documented.
Persistence & Privilege
Skill does not request persistent presence (always:false) and does not modify system or other skills' configuration. No privilege escalation observed in metadata.
What to consider before installing
Do not assume this skill implements CSV profiling: the included main.py only reports input size and exposes CLI flags to fetch URLs or POST payload files. Before installing or running: (1) inspect or run the script locally on non-sensitive sample files to see its behavior; (2) avoid passing --url, --endpoint, or --payload unless you trust the remote host; (3) if you need true CSV profiling, either implement/replace the profiling logic in main.py or ask the publisher for a correct implementation; (4) prefer running in an isolated environment (no network) until you’re confident the tool does what it claims. If you plan to allow autonomous agent use, be especially cautious because the network-capable flags could be invoked to exfiltrate data.

Like a lobster shell, security has layers — review code before you run it.

latestvk975xb5r3bk90apfbzggnw2ypx84c669
57downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@askjda
latest
Download

csv-profile-stepper

能力边界

  • 只处理当前命令输入指定的数据,不做额外隐式操作。
  • 不依赖交互式界面,全部通过命令行完成。

输入参数

  • 按命令行参数传入,参数格式见下方步骤命令。

输出结果

  • 生成命令输出(stdout)和对应输出文件(JSON/TXT)。

执行步骤(具体操作)

  1. 在 skill 目录准备输入文件,例如 input.txt、data.json。
  2. 运行命令: python main.py --input <csv> --output profile.json
  3. 若命令失败,先执行 --help 查看参数,再修正参数重新执行。
  4. 查看输出文件内容,确认字段和行数符合预期。
  5. 记录本次命令和输出路径,便于后续复现。

验证命令

python main.py --input <csv> --output profile.json --help

Comments

Loading comments...