Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ifc To Excel
v2.0.0Convert IFC files (2x3, 4x1, 4x3) to Excel databases using IfcExporter CLI. Extract BIM data, properties, and geometry without proprietary software.
⭐ 0· 1.1k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description and instructions consistently describe converting IFC to Excel using an external CLI (IfcExporter.exe) or IfcOpenShell. However, the skill declares no required binaries or credentials in its metadata even though the runtime explicitly depends on a local executable (IfcExporter.exe) or IfcOpenShell. That mismatch (metadata says 'none' but SKILL.md requires a binary) is incoherent and could mislead users about what will actually run.
Instruction Scope
The SKILL.md instructions are narrowly scoped to reading IFC files from disk, invoking a local CLI, and writing Excel/DAE outputs. There are no instructions to read unrelated system files or environment variables, nor to transmit data remotely. The Python examples call subprocess.run to invoke the CLI and check file existence; that is expected for this task. One note: the instructions assume the presence of IfcExporter.exe and IfcOpenShell but do not explain how/where to obtain or verify those binaries.
Install Mechanism
There is no install spec (instruction-only), which is low-risk by itself. However, because the runtime depends on an external executable (IfcExporter.exe) of unknown origin, the lack of an install mechanism means users may download that binary from an untrusted source. The skill does not link to an official homepage or release host or describe trusted installation steps (e.g., use IfcOpenShell from its official project).
Credentials
The skill does not request environment variables, credentials, or config paths beyond filesystem access. The declared permission for filesystem access matches the stated need to read IFC and write Excel files. There are no excessive credential requests.
Persistence & Privilege
The skill is not marked always:true and is user-invocable. It does require filesystem permission (declared in claw.json), which is proportionate to its function. It does not request elevated or persistent privileges or attempt to modify other skills' configurations.
What to consider before installing
This skill appears to do what it says (convert IFC files to Excel) but it expects you to have a separate CLI (IfcExporter.exe) or use IfcOpenShell. The skill metadata fails to declare that required binary and provides no homepage or install instructions. Before installing or running this skill:
- Verify the provenance of IfcExporter.exe if you intend to use it. Prefer well-known sources (official project sites or GitHub releases) or use IfcOpenShell (an established open-source alternative) instead.
- If you must download a binary, obtain it from an official/reputable release page and verify checksums/signatures when available.
- Run conversions in an isolated environment (container or VM) if you are unsure about the binary's origin, since the skill will execute that local program with access to files.
- Limit filesystem access to only the directories containing IFC files and outputs, and avoid granting broad system-wide access.
The main red flag is the metadata/instructions mismatch and missing provenance for the external CLI; these are likely oversights but could be exploited if an attacker convinces you to install an untrusted binary. If the author can provide an official download URL, checksums, or switch the skill to use IfcOpenShell (with clear install guidance), the concern would be resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk9769stkhw5m3bt2js1098191d812rsv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.