Csv Brain
v1.0.3Load CSV files and ask questions in plain English. AI-powered natural language queries via Anthropic, OpenAI, or local Ollama. No SQL required.
⭐ 0· 255·2 current·2 all-time
byShadow Rose@theshadowrose
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: src/csv-brain.js parses CSVs, profiles columns, runs structured queries, and forwards natural-language questions to Anthropic, OpenAI, or a local Ollama. The optional environment variables in SKILL.md (ANTHROPIC_API_KEY, OPENAI_API_KEY, OLLAMA_HOST) are exactly what's needed to contact those providers. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
The runtime instructions and code are within scope for a CSV-querying skill, but the ask() implementation builds a system prompt that includes column profiles and up to the first five rows and then sends that to the chosen provider. That means using remote Anthropic/OpenAI will transmit dataset summaries and sample rows to those external services — expected for this feature, but a potential data-exfiltration/privacy risk for sensitive files.
Install Mechanism
No install spec is present (instruction-only with a source file). There are no downloads or package installs; user is instructed to copy src/csv-brain.js into their project. This is low-risk from an installation perspective.
Credentials
No required environment variables are declared; the SKILL.md documents optional provider keys which are proportionate to the stated multi-provider feature. The skill reads only the documented env vars (ANTHROPIC_API_KEY, OPENAI_API_KEY, OLLAMA_HOST) to contact model APIs. These keys are sensitive — they must be provided by the user and are not required unless remote models are used.
Persistence & Privilege
The skill is user-invocable, not always-enabled, and does not request persistent or elevated agent/system privileges. It does file I/O (reads whatever file path you supply), which is necessary for a CSV loader; it does not attempt to modify other skills or global agent config.
Scan Findings in Context
[system-prompt-override] expected: The SKILL.md and source build a system prompt directing the model to return JSON-only. This pattern triggers a prompt-injection heuristic but is expected here because the skill must control model output format to parse answers reliably.
Assessment
This skill appears to be what it claims: a local CSV parser and an LLM-backed query helper. Important things to consider before installing or using it: (1) If you call ask() with Anthropic/OpenAI, the skill sends column statistics and up to the first five rows to the remote provider — don't use it with sensitive data unless you accept that transmission. (2) API keys are optional but required to use remote providers; treat them as secrets. (3) The code reads any file path you pass to load(), so ensure you only load intended CSVs (it will read files the running process can access). (4) There are no external downloads in the install, but you should still inspect the full src/csv-brain.js (including helper methods not shown in the truncated snippet) to confirm there are no unexpected network calls or hard-coded endpoints beyond the documented providers. (5) If you need to avoid sending data off-host, prefer a local Ollama server (OLLAMA_HOST) or run without setting remote API keys.Like a lobster shell, security has layers — review code before you run it.
analysisvk973rakx0rsqckd0ksm70zz7kx82jpwscsvvk973rakx0rsqckd0ksm70zz7kx82jpwsdatavk973rakx0rsqckd0ksm70zz7kx82jpwslatestvk973rakx0rsqckd0ksm70zz7kx82jpwsparsingvk973rakx0rsqckd0ksm70zz7kx82jpwsspreadsheetvk973rakx0rsqckd0ksm70zz7kx82jpws
License
MIT-0
Free to use, modify, and redistribute. No attribution required.