Skillv1.2.0

ClawScan security

舟谱订单导入 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 3:04 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match the stated purpose (generating Zhoupu import Excel from local order + price spreadsheets); nothing requests unrelated secrets or external endpoints, though the included Python scripts require Python + pandas/openpyxl which the metadata did not declare.
Guidance: This skill appears to be what it says: a local Excel-to-Excel template generator for the Zhoupu system. Before installing or running it: 1) Verify you have Python and the required packages (pandas, openpyxl); the skill metadata did not list these. 2) Inspect the two included Python scripts locally (they are plain text) and run them in a safe environment; they do not make network requests. 3) Only pass in the intended order/price Excel files (do not point the tool at sensitive unrelated files). 4) Follow the SKILL.md manual approval step (send generated file to the named reviewer) if your process requires human verification — otherwise an agent with autonomous invocation could generate files without that human check. 5) If you need stricter controls, disable autonomous invocation for this skill or run the scripts manually in a sandboxed environment.

Review Dimensions

Purpose & Capability: noteName/description (生成舟谱导入模板) align with the provided scripts and SKILL.md: both scripts read local Excel price/order files and produce Excel import templates. Minor mismatch: registry metadata declared 'required binaries: none', but the runtime requires Python and libraries (pandas, openpyxl). This is likely an omission rather than malicious, but the skill will not run without those dependencies.
Instruction Scope: okSKILL.md instructs the agent (or user) to run the two Python scripts on local Excel files, use specific arguments, and follow a manual approval step. Instructions reference only local file paths and the Zhoupu portal URL for human upload — no instructions to read unrelated system files, access network services, or transmit data to unknown endpoints. The strict verification/approval steps are explicitly stated.
Install Mechanism: okNo install spec (instruction-only with bundled scripts). That is low-risk: nothing is downloaded at install time. The included scripts will be executed locally if invoked; they are plain Python and not obfuscated. There are no external download URLs or installers.
Credentials: noteThe skill requests no environment variables or credentials, and the scripts do not perform network calls. Proportionality is good. Note: the scripts will read arbitrary Excel files you provide and example local paths under C:\Users\... or workspace — you should only point them at intended spreadsheet files. Also the skill metadata omits required runtime dependencies (Python + pandas + openpyxl).
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not modify other skills or request permanent presence. The default ability for the agent to invoke the skill autonomously remains enabled (disable-model-invocation=false), which is standard — combine this with the human approval note in SKILL.md if you require manual review before generation.