Excel Report
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Excel-report purpose, but its template engine uses unrestricted Python eval on formula text, which is risky if templates are untrusted or modified.
Install only if you trust the skill source and can review or restrict its templates. Be especially cautious with modified or third-party templates because formula evaluation uses Python eval. If using email sending, use limited SMTP credentials and verify the report and recipient before sending.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or tampered template could run code on the user's machine when report calculations are performed.
Formula text from template configuration is converted into a Python expression and evaluated without a sandbox or allowlist, so an untrusted or modified template formula could execute arbitrary Python code.
result = eval(expr)
Replace eval with a restricted formula parser or AST-based evaluator that only permits expected arithmetic, column references, and approved aggregation functions.
If enabled, the skill can use the configured email account to send generated reports.
The email feature requires SMTP account credentials and can send mail on the user's behalf; this is purpose-aligned but sensitive.
export SMTP_HOST=smtp.gmail.com export SMTP_USER=your@email.com export SMTP_PASSWORD=xxx python scripts/generate_report.py ... --email --to user@email.com
Use a limited app password or dedicated SMTP account, verify recipients, and avoid storing long-lived credentials in shared shell history or environments.
Business, financial, medical, or operational data included in a report may leave the local environment via email.
Generated reports derived from local data can be sent through an external email provider when the user enables the email option.
批量生成 + 邮件发送 ... --email --to <addr>
Only use email sending for intended recipients, review the generated workbook first, and avoid emailing sensitive reports unless the SMTP provider and recipient are trusted.
Users may install whatever current versions are available from their configured Python package index.
The setup instructions install dependencies without version pins or hashes; this is common for a Python reporting tool but leaves package provenance and repeatability to the user.
pip install openpyxl pandas
Pin dependency versions, install from trusted indexes, and prefer a reviewed requirements file or lockfile for repeatable installs.