Skillv1.0.0

ClawScan security

Data Report Generator — CSV/Excel to Word/PDF with Charts · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 1:37 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions match its stated purpose (turning tabular data into Word/PDF reports with charts); nothing in the package asks for unrelated secrets or external endpoints, but it does instruct runtime pip installs and writes files to disk which you should be aware of.
Guidance: This skill appears coherent for generating reports from uploaded CSV/Excel files, but review these practical safety points before installing or running it: - Runs code and will write files: the instructions generate and save chart images and PDF/DOCX files locally; avoid uploading highly sensitive data unless you trust the execution environment. - Runtime pip installs: the SKILL.md tells the agent to run pip to install libraries from PyPI. That is normal for Python tools but the command uses --break-system-packages (this can alter system-managed packages). Prefer running in an isolated virtualenv/container or remove the --break-system-packages flag. - Missing dependencies: some reference snippets use libraries not included in the single pip line (e.g., reportlab, scipy, python-docx). Be prepared to install additional packages or update the dependency list so runtime failures don't prompt ad-hoc installs. - File paths: example outputs use absolute paths (e.g., /home/claude/report.pdf). Ensure the agent uses safe, writable, and expected directories rather than system-sensitive locations. If you plan to use this skill in production, run it first in a sandbox/container, review and pin the exact dependency list, remove the --break-system-packages flag, and avoid uploading confidential datasets until you verify the runtime behavior.

Review Dimensions

Purpose & Capability: okName/description (CSV/Excel → Word/PDF reports) aligns with the instructions: code shows data loading, profiling, chart generation, and report building. Declared required binaries (python3, pip) are appropriate. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md contains explicit Python scripts that load user-uploaded files, profile data, generate charts, and write .png/.pdf/.docx outputs. It does not instruct reading arbitrary system files or environment variables beyond normal use. However, it tells the agent to run pip installs at runtime and example output paths (e.g., /home/claude/report.pdf) which will write files to disk. The instructions also reference additional libraries (scipy, reportlab, python-docx) in reference files even though the single pip command in the main flow does not install all of them.
Install Mechanism: noteThere is no formal install spec (instruction-only), which is lowest static risk. The runtime instructions include a pip install command that pulls packages from PyPI (matplotlib, seaborn, pandas, openpyxl). That is an expected mechanism for a Python data/reporting skill. Two points to note: (1) the pip command uses --break-system-packages (which can allow modifying system-managed packages and may be undesirable on shared systems), and (2) several referenced snippets require extra packages (reportlab, scipy, python-docx) that are not installed in the single pip line — relying on implicit installs can cause runtime failures or make operators run additional installs manually.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. Its operations (file I/O, local package installs) are proportional to the documented purpose.
Persistence & Privilege: okFlags show always:false and the skill is user-invocable; it does not request permanent platform-level presence or modify other skills. The skill will run code when invoked (normal for instruction-only skills).