ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ERP Tax Filler

v1.0.0

Fill ERP financial data (资产负债表, 利润表, 现金流量表) into official tax bureau Excel templates (.xls/.xlsx) while preserving all formatting, formulas, styles, colors,...

0· 119·0 current·0 all-time
by@loverun321

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for loverun321/erptax.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "ERP Tax Filler" (loverun321/erptax) from ClawHub.
Skill page: https://clawhub.ai/loverun321/erptax
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install erptax

ClawHub CLI

Package manager switcher

npx clawhub@latest install erptax
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the included scripts: the code reads ERP .xls exports, unpacks .xlsx to XML, updates cached cell <v> values, removes calcChain, and repacks — all coherent with 'preserve formulas/styles while filling templates'. There are no unrelated network calls, credentials, or unrelated binaries requested.
!
Instruction Scope
SKILL.md instructs use of Excel COM (PowerShell) to convert .xls → .xlsx. Opening workbooks via COM can run Workbook_Open/Auto_Open macros: the instructions do not advise disabling macros or setting AutomationSecurity, which is a real code-execution risk if templates or ERP exports contain macros. The rest of the runtime instructions (unpack, edit only <v>, delete calcChain, repack) match the scripts, but the docs also warn against openpyxl while the code imports xlutils.copy (docstring mentions it) — a minor inconsistency. Also the script contains hardcoded fallback numeric values for some profit rows (could insert unexpected defaults when ERP data is missing).
Install Mechanism
No install spec or external downloads; all code files are included in the skill bundle. That reduces supply-chain risk. The scripts depend on Python packages (xlrd, xlutils) that must be present in the runtime environment but there is no installer here.
Credentials
The skill requests no environment variables, no credentials, and accesses only local files supplied by the user. There is no evidence of credential exfiltration or unrelated secret access in the code.
Persistence & Privilege
always:false and user-invocable; the skill does not request persistent or system-wide changes and does not modify other skills or global agent settings. It runs only when invoked.
What to consider before installing
This skill appears to do what it claims (XML-editing of .xlsx to preserve formulas/styles), but take these precautions before using it or installing it into an agent: - Do not run it on production/original templates — always test on copies and keep backups. - The SKILL.md recommends converting .xls via Excel COM. Opening files in Excel via COM can execute macros (Workbook_Open, Auto_Open). If you need to use Excel automation, ensure macros are disabled (e.g., set Application.AutomationSecurity = msoAutomationSecurityForceDisable) or otherwise ensure templates are trusted and free of malicious VBA. - The unpack/pack/edit flow will remove xl/calcChain.xml and repack the archive; if the workbook contains VBA (vbaProject.bin) or is macro-enabled (.xlsm), converting/saving as .xlsx or repacking may strip or break macros. The unpacker warns about vbaProject.bin — heed that. - The scripts assume presence of Python packages (xlrd, xlutils). The bundle includes no installer; confirm these dependencies and test in a controlled environment. - There are hardcoded fallback numeric values in the profit-table mapping — if ERP data for those lines is missing the script will insert those defaults; review and adjust if that is unacceptable. - Minor doc/code mismatch: SKILL.md strongly warns against using xlutils/openpyxl in some places but erp_fill.py imports xlutils.copy (though it doesn't appear to actually use it). Treat this as a small maintainability/quality issue and review the code before running. If you intend to use this in an automated/agent context, require user confirmation before running and ensure the environment disallows unintended macro execution. If you cannot review the templates and code yourself, consider this skill suspicious and avoid running it on sensitive data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dr07yg2q1j8z0qvg5bjqejx83knzn
119downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@loverun321
latest
Download

Excel 财务报表模板填充

When to Use

Fill ERP financial data (资产负债表, 利润表, 现金流量表) into official tax bureau Excel templates (.xls/.xlsx) while preserving all formatting, formulas, colors, locked cells, and cell protection.

Triggered when user asks to:

  • Fill in financial statements from ERP export
  • Populate tax reporting templates
  • Transfer data from ERP to official forms
  • Fill Excel templates without breaking formulas or formatting

Core Workflow

Step 1 — Convert .xls to .xlsx first

If template is .xls (BIFF format), convert using Excel COM:

$excel = New-Object -ComObject Excel.Application
$excel.Visible = $false; $excel.DisplayAlerts = $false
$wb = $excel.Workbooks.Open("C:\path\to\template.xls")
$wb.SaveAs("C:\path\to\template.xlsx", 51)  # 51 = xlOpenXMLWorkbook
$wb.Close($false); $excel.Quit()

⚠️ Do NOT use xlutils for format-preserving operations on BIFF files.

Step 2 — Unpack xlsx

python scripts/xlsx_unpack.py input.xlsx /tmp/xlsx_work/

Step 3 — Read ERP data

Use xlrd to read ERP export files:

  • 资产负债表: left cols 0-3 (资产), right cols 4-7 (负债)
  • 利润表: col1=行次, col3=本期, col4=本年累计
  • 现金流量表: col0=名称, col3=本期, col4=本年累计

See references/erp-row-maps.md for ERP row → template row mapping.

Step 4 — Edit XML directly

Key principle: Only modify <v> values, never touch <f> (formulas) or s= (styles).

Pattern for numeric cells:

<!-- Before -->
<c r="D7" s="34">
  <v>0</v>
</c>

<!-- After (replace only <v>) -->
<c r="D7" s="34">
  <v>1638.81</v>
</c>

Pattern for formula cells (update cached value only):

<!-- Before -->
<c r="D21" s="40">
  <f>ROUND(D7+D8+D9+D10+D11+D12+D13+D14+D15+D20,2)</f>
  <v>0</v>
</c>

<!-- After (keep <f>, update <v>) -->
<c r="D21" s="40">
  <f>ROUND(D7+D8+D9+D10+D11+D12+D13+D14+D15+D20,2)</f>
  <v>5012140.22</v>
</c>

Step 5 — Remove calcChain and repack

Delete xl/calcChain.xml (forces Excel to recalculate all formulas on open):

rm /tmp/xlsx_work/xl/calcChain.xml
python scripts/xlsx_pack.py /tmp/xlsx_work/ output.xlsx

Key Rules

  1. Never use openpyxl load_workbook() + save() on existing files — it corrupts VBA, pivot tables, sparklines, and theme colors
  2. Always delete calcChain.xml after editing formulas or cached values
  3. Never change s= attribute (style index) or r= attribute (cell reference)
  4. Only modify <v> tags — everything else is untouched

References

  • ERP row mapping: references/erp-row-maps.md
  • XML edit patterns: references/xlsx-edit-guide.md
  • xlsx unpack/pack scripts: use from minimax-xlsx skill (copy to scripts/)

Source Scripts

ScriptPurpose
scripts/erp_fill.pyMain orchestrator: reads ERP + edits XML + repacks
scripts/xlsx_unpack.pyUnzip and pretty-print xlsx XML
scripts/xlsx_pack.pyRepack edited XML into valid xlsx

Comments

Loading comments...