Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Excel Generator
v1.0.0Generate professional Bloomberg-style Excel workbooks from natural language descriptions. Creates multi-sheet workbooks with dashboards, KPI cards, charts, c...
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name and description align with generating Excel workbooks using Python/openpyxl. However, the SKILL.md assumes availability of python3 and openpyxl and a local generator script (scripts/excel_generator.py) even though the skill declares no required binaries, dependencies, or code files. The missing dependency/instruction mapping is inconsistent.
Instruction Scope
Instructions tell the agent to cd into and write files under a specific user path (/Users/synapsefirm/.openclaw/workspace), run a local script (scripts/excel_generator.py), and save outputs to /Users/synapsefirm/.openclaw/workspace/excel-projects/. The skill also prescribes a default password (Formly2026!) for password-protected deliverables. These actions involve writing/reading local filesystem locations and rely on a script that is not included — scope and assumptions are unclear and potentially unsafe.
Install Mechanism
This is an instruction-only skill with no install spec, which is low risk in general. But it assumes external runtime capabilities (python3, openpyxl) and a local script; the absence of declared dependencies or an included generator script is an incoherence to address before use.
Credentials
The skill requests no environment variables but hardcodes a filesystem path containing a specific username (synapsefirm) and embeds a default password (Formly2026!). Both are disproportionate: the hardcoded path suggests the skill was written for a particular environment, and the embedded password is a sensitive default that could lead to insecure sharing if used as-is.
Persistence & Privilege
The skill does not request permanent presence (always: false) and does not declare modifications to other skills or system-wide settings. Autonomy is allowed by default but not by itself a concern here.
What to consider before installing
This skill looks like it will produce Excel workbooks, but there are several red flags you should resolve before installing or running it:
- Ask the publisher to provide the python generator script (scripts/excel_generator.py) or include clear install steps. Right now the SKILL.md tells the agent to run a script that is not part of the skill.
- Confirm runtime requirements: python3 and the openpyxl library are required but not declared. Ensure those are available in a safe environment.
- Do not rely on the hardcoded filesystem path (/Users/synapsefirm/.openclaw/workspace). Ask for a configurable output path or confirm where files will be written in your environment so the skill cannot unexpectedly access other user files.
- Change the embedded default password (Formly2026!) and remove any instruction that encourages using a shared default credential; require the user to supply passwords or omit default-protection entirely.
- If you care about privacy, verify that the skill does not transmit your workbook or source data to external endpoints (the SKILL.md does not mention network calls, but the missing script could). Request the full script or run the generator in a sandboxed environment first.
If the publisher can provide a corrected SKILL.md (no hardcoded user paths, no embedded passwords, explicit dependency declarations, and the generator script included or an install spec), the skill would be materially more trustworthy.Like a lobster shell, security has layers — review code before you run it.
latestvk970ttxg7enw12zer2v2j5kzcn83ynse
License
MIT-0
Free to use, modify, and redistribute. No attribution required.