ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

work attendance skill

v1.0.0

Analyze the weekly attendance records of employees at Zhuihui Branch and generate an attendance report in docx format. At the same time, output an xlsx file...

0· 67·0 current·0 all-time
by@wang2y
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, SKILL.md, and the included Python script all target the same task (analyzing attendance Excel files). However, SKILL.md requires the agent to produce a .docx report and an .xlsx supplement while the included script advertises producing structured JSON for AI report generation; no code or declared dependency is provided to generate .docx/.xlsx files. Also the skill manifest declares no install or dependency information despite the script requiring openpyxl. This is an incoherence between claimed outputs and the actual artifacts in the bundle.
Instruction Scope
The runtime instructions are narrowly scoped to reading the provided Excel, applying branch-specific rules, and producing departmental metrics. They reference only local included files (the references and examples). No instructions request external endpoints or unrelated system files. However, SKILL.md expects creation of .docx/.xlsx outputs but doesn't specify how to create them nor include helper code/libraries for that; the agent may be expected to perform that conversion itself without guidance.
!
Install Mechanism
There is no install spec in the registry. The Python file imports openpyxl and prints an error and exit if it's missing; openpyxl (and possibly libraries to write .docx/.xlsx such as python-docx or openpyxl write usage) are required at runtime but are not declared in the skill metadata. Lack of an install mechanism or dependency list means the operator must manually install runtime packages. This is a packaging/operational risk (surprises at runtime), though not a clear malicious indicator.
Credentials
The skill does not request environment variables, credentials, or config paths. The code reads only the provided Excel file and local reference files. No secrets or unrelated service credentials are requested.
Persistence & Privilege
The skill is not always-enabled, does not request persistent platform privileges, and does not modify other skills' configurations. It can be invoked by the agent (normal behavior) but has no elevated or permanent presence.
What to consider before installing
Summary of what to consider before installing/running: - Functionality: The skill appears to do what it says (attendance analysis for the named branches) and includes a substantial Python script implementing the business rules. The SKILL.md and examples are consistent with the script's logic (exclusions, sub-department splitting, weekend-rotation rules). - Packaging gaps (reason for 'suspicious'): The package has no install specification or dependency list. The script requires Python and the openpyxl package (it errors out if openpyxl is missing), and SKILL.md promises .docx and .xlsx outputs but the included script only advertises structured JSON output — there is no explicit code or declared dependency to create .docx/.xlsx files. You (or the agent runtime) will likely need to install Python packages manually (openpyxl, and possibly python-docx or a writer for Excel files) or implement the conversion. This mismatch can cause runtime surprises. - Security & privacy: The skill processes sensitive HR data (employee names, IDs, attendance). The included code does not appear to make network calls or exfiltrate data (no requests/urllib/sockets in the provided code), but you should still: (1) review the full script yourself to confirm there are no hidden network callbacks, (2) run it in an isolated/sandbox environment if possible, and (3) avoid sharing the raw Excel with untrusted services. - Recommended actions before use: - Inspect the full analyze-attendance.py for any network I/O or os.system/subprocess calls (the provided snippet shows none, but verify the remainder of the file). - Ensure you have a trusted Python runtime and install required packages (pip install openpyxl and any library you choose for generating .docx/.xlsx). Consider using a virtual environment. - If you expect the skill to autonomously write .docx/.xlsx, either add or confirm code to perform those writes (and include any needed libraries) or be prepared to convert the JSON output to docx/xlsx yourself. - Because the publisher is unknown, prefer running on non-production or anonymized test data first. - What would change this assessment: If the skill metadata were updated to declare required Python packages and an install spec (or included code that actually writes .docx/.xlsx), the packaging concerns would be resolved and the verdict could move to benign. Conversely, discovery of network/credential access in the rest of the code would increase severity and confidence toward malicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cqzjraekqtvqh9rwn4m3qw983dsv6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments