Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
JW Data Analyst
v1.0.0数据分析助手 - 自动生成Python数据处理脚本、可视化图表、统计报告。支持Excel/CSV/JSON/数据库。觸發詞:数据分析、图表、统计、报表、可视化。
⭐ 0· 0·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a reasonably-scoped data analysis tool (Excel/CSV/JSON/db/API → cleaning, stats, charts). However the package metadata contains an ownerId that differs from the registry metadata provided (inconsistent ownerId in _meta.json). Also the SKILL.md hardcodes a default save location ("默认保存到D盘") which is an unexpected assumption about the host environment and may not apply on non-Windows systems.
Instruction Scope
Instructions are high-level and focus on reading user-specified data sources and producing reports/plots; they do not instruct the agent to read arbitrary system files or exfiltrate data. Still, support for databases and API sources implies the skill will need connection credentials at runtime, but the SKILL.md does not specify how credentials are provided or handled. The hardcoded save-to-D: path is an unexpected I/O instruction that could cause write attempts to an inappropriate location.
Install Mechanism
No install spec and no code files — instruction-only — so nothing is written to disk by an installer. This is the lowest-risk install model.
Credentials
The skill declares no required environment variables, which is consistent for an instruction-only tool. However, because it supports SQLite/MySQL/PostgreSQL and API data sources, it will likely ask users for connection strings/credentials at runtime. The SKILL.md does not document how credentials should be supplied or stored, which raises a proportionality/usability question and a potential risk if users paste production credentials without guidance.
Persistence & Privilege
always:false and normal model invocation settings — the skill won't be force-included or request persistent elevated privileges. The skill does assert default file save behavior but does not attempt to modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (generate analysis scripts, charts, reports), but there are a few things to check before installing or using it. 1) Metadata mismatch: _meta.json lists a different ownerId than the registry metadata — ask the publisher to confirm authorship. 2) Do not supply production DB credentials or API keys until you confirm how the skill handles them; prefer temporary or read-only test credentials. 3) The SKILL.md says charts are saved to D: by default — verify or change the output directory to a location appropriate for your system. 4) Test the skill first with non-sensitive/sample data to confirm behavior. 5) If you need guarantees about credential storage or network access, request additional documentation from the author (how credentials are provided, whether data is sent to external endpoints, and how outputs are stored).Like a lobster shell, security has layers — review code before you run it.
latestvk977697bkzv4n6dchdmsa0ftwd8535hk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.