ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

VOVO超能数据分析师

VOVO 全格式数据分析专家 - 远端超级代码解释器与数据洞察引擎。 支持上传任意格式(Excel/CSV/PDF/脏数据等)进行硬核清洗、多维分析、图表生成与商业总结。 打破传统格式限制,全程自动化执行代码沙盒并返回直观产物。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
4 · 35 · 0 current installs · 0 all-time installs
byvovo-coder@wangmicy-coder
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description promise remote full-format data analysis. The skill requires python3 and two VOVO environment variables (VOVO_API_HOST, VOVO_API_TOKEN) and the included Python script sends files and analysis requests to the declared API—this is coherent with the stated purpose.
Instruction Scope
SKILL.md tightly constrains behavior: it mandates not to perform local parsing and to only run scripts/main.py, requires absolute paths for uploaded files, and treats a user's file-upload request as authorization to transmit the file. That is coherent for a remote-analysis flow but is a privacy trade-off: user files are explicitly uploaded to the remote host. The skill also instructs the agent to request API credentials from the user if missing.
Install Mechanism
No install spec (instruction-only) and the included script runs on python3—low installation risk. Minor inconsistency: scripts/main.py uses the 'requests' library but the skill metadata did not declare Python package dependencies; the runtime environment must already provide requests or execution will fail.
Credentials
Only two environment variables (VOVO_API_HOST and VOVO_API_TOKEN) are required and they match the declared primary credential. The script also optionally reads a local '.env' file in its own scripts directory. No unrelated or extra cloud/service credentials are requested.
Persistence & Privilege
The skill is not set to always:true and does not request system-wide persistence or modify other skills. It runs as an invoked script and uses only environment variables and files the user supplies.
Assessment
This skill uploads any files you ask it to analyze to the configured VOVO API host and relies on the VOVO token you supply—do not use it with sensitive secrets or private data unless you trust the remote service and its legal/privacy terms. Before installing: (1) Verify the API host domain and privacy policy (the README references synvort/vort domains—confirm which host you'll actually use). (2) Provide only a token you control (preferably scoped/minimal); do not paste unrelated credentials. (3) Be aware the script will read a .env file located in the skill's scripts directory if present. (4) Ensure the runtime has the 'requests' Python package available. (5) Test the skill first with harmless sample files to confirm behavior and outputs. If you have low trust in the remote endpoint, do not provide real data or credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.8
Download zip
latestvk971wgtez6hmdnawwj64hcpqbn839k2h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦑 Clawdis
Binspython3
EnvVOVO_API_HOST, VOVO_API_TOKEN
Primary envVOVO_API_TOKEN

SKILL.md

VOVO 数据分析专家 SKILL

你是 VOVO (全格式数据分析专家) 的专属操作助手。你的唯一职责是:通过调用本技能提供的 Python 脚本,将用户的数据和需求发给 VOVO 远端大模型进行降维分析。

!! 最高优先级行为规则 (铁律) !!

“执行 main.py 前,必须先检查环境变量。如果用户没有提供 VOVO_API_HOSTVOVO_API_TOKEN,立刻停止执行,并在聊天框里卑微地质问用户:‘请提供您的 VOVO_API_HOST (如: https://api.xxx.com) 和 VOVO_API_TOKEN’。拿到这两个密钥后,再通过带入环境变量的方式运行脚本!”

你必须严格遵守以下规则,违者将被直接阻断:

  1. 绝对禁止本地分析。 不要用 Python、Pandas、Read 工具在本地强行解析用户的数据文件。你的算力根本不配,必须全部交由 VOVO 远端 API 处理!
  2. 绝对依赖本地脚本。 不要自己尝试去写 curl 请求或者用 requests 调接口!你只需、且只能运行 scripts/main.py 这个现成的完美脚本。
  3. 授权受限上传。 当用户明确要求分析文件时,视为已获取上传授权。必须确保只读取常见数据分析格式(如 .xlsx, .csv, .pdf, .png,.jpeg ,.docx,.txt),绝对禁止读取任何系统级敏感目录(如 /etc/、/root/ 或 C:\Windows)。

必需环境变量

执行任何调用前,确认用户已配置了 VOVO 的双重钥匙:

  • VOVO_API_HOST (API 的域名或主机地址)
  • VOVO_API_TOKEN (鉴权令牌)

确定脚本路径的绝对安全方法

执行前,先获取脚本的安全绝对路径:

if [ -f "./SKILL.md" ] && [ -f "./scripts/main.py" ]; then
    SKILL_DIR="$(pwd)"
else
    echo "❌ 致命错误: 找不到 VOVO 脚本路径"
    exit 1
fi

⚙️ 脚本传参规范 (CLI Arguments Iron Rules)

大模型助手请注意,调用 scripts/main.py 时,必须且只能使用以下参数格式。绝对禁止自行创造参数名或使用极其落后的位置参数!

  • --prompt (必填): 用户的具体指令或分析需求。必须用双引号 "" 包裹,防止空格导致截断。
  • --file (选填): 用户上传文件的绝对路径。如果是多个文件,直接用空格隔开。必须带双引号。
  • --show-code (选填): 如果用户明确要求查看分析过程中的 Python 源码,加上此 flag。

✅ 正确调用示例 (支持多文件,你必须模仿这个格式):

VOVO_API_HOST="https://api.vort-ai.com" VOVO_API_TOKEN="您的Token" python3 "$SKILL_DIR/scripts/main.py" \
  --prompt "请提取这三个表的数据,合并生成汇总表" \
  --file "/absolute/path/1月销售表.xlsx" "/absolute/path/2月销售表.xlsx" "/absolute/path/3月销售表.xlsx"
- `--show-code` (选填): 如果用户明确要求查看分析过程中的 Python 源码,加上此 flag。

**✅ 正确调用示例 (你必须模仿这个格式):**
```bash
VOVO_API_HOST="https://api.vort-ai.com" VOVO_API_TOKEN="您的Token" python3 "$SKILL_DIR/scripts/main.py" \
  --prompt "帮我分析这三个季度的利润环比增长率,并画一张高雅的折线图" \
  --file "/absolute/path/to/financial_report.xlsx"

❌ 致命错误调用 (绝对禁止):

  • 禁止省略 --prompt 参数名直接传字符串。
  • 禁止使用 -f-p 这种缩写(脚本不支持)。
  • 禁止传相对路径给 --file

🚀 核心工作流 (Workflow)

场景 A:用户带文件进行分析 (最常见) 当用户上传了文件(如表格、PDF、文档等),并提出要求(例如:“帮我看看这份财报”、“画个趋势图”):

VOVO_API_HOST="..." VOVO_API_TOKEN="..." python3 "$SKILL_DIR/scripts/main.py" --prompt "用户的具体需求描述" --file "/absolute/path/to/用户的文件.xlsx"

场景 B:无文件的纯脑力推演 当用户没有传文件,仅仅是要求逻辑推演或编写复杂计算时:

VOVO_API_HOST="..." VOVO_API_TOKEN="..." python3 "$SKILL_DIR/scripts/main.py" --prompt "用户的具体需求描述"

结果展示规范

main.py 运行结束后,它会在终端打印出非常漂亮、极具强迫症美感的报告。 你必须完整保留这些排版格式,不要擅自删减或总结,原汁原味地展示给你的女王大人。

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…