Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
universal-data-analyst-en
v1.0.3Performs automated, LLM-driven data analysis including loading, validation, method selection, script generation, execution, and comprehensive reporting for d...
⭐ 0· 90·0 current·0 all-time
byyamaz@yamaz49
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included modules (data loader, validator, orchestrator, LLM prompt generator, report generator). The code produces prompts for LLMs and coordinates a multi-step analysis pipeline, which is coherent with the stated purpose. Minor mismatch: README/SKILL.md includes example calls to an LLM client (Anthropic/Claude) but the shipped LLM module returns prompts rather than performing network calls and the skill declares no required env vars/credentials for LLM access.
Instruction Scope
The orchestrator generates full Python analysis scripts (via LLM prompts) and then executes them (the orchestrator imports subprocess and contains step execution logic). Executing code generated by an LLM on the user's machine is expected for this tool's purpose but is a high-risk action: generated scripts can contain arbitrary file I/O, shell/OS calls, or network operations and thus may exfiltrate data or modify the system. The SKILL.md and code instruct saving prompt files and calling an LLM externally — but the skill also supports an autonomous flow that can generate and run code. There are no enforced sandboxing or restrictions in the provided code.
Install Mechanism
There is no install spec (instruction-only skill with packaged Python modules). Nothing is downloaded at install time, so no arbitrary remote code is pulled during installation. The runtime will write output and prompt files to local output directories.
Credentials
The skill declares no required environment variables or credentials. However, documentation/examples reference calling external LLM APIs (Anthropic/Claude) which would require API keys if you choose to integrate — these keys are not managed by the skill. The shipped code itself does not appear to read unrelated system credentials or config paths.
Persistence & Privilege
always:false and no special persistence or modifications to other skills/configs. The skill creates session/output directories within the working directory; it does not request or claim system-wide privileges. Autonomous invocation is allowed by platform default, which combined with script execution increases blast radius but is not itself an unusual setting.
What to consider before installing
This skill is coherent with its stated purpose, but it generates Python analysis scripts via LLM prompts and can execute those scripts locally. Before installing or running: 1) Do NOT run this on sensitive or production systems without reviewing generated scripts first. 2) Inspect any generated analysis_script.py for network, subprocess, or filesystem operations (look for imports like requests, socket, subprocess, os.system, eval/exec, urllib, ftplib, paramiko). 3) Prefer running the orchestration and script execution inside an isolated environment (ephemeral VM, container, or sandbox) with limited network and file access. 4) If you will call external LLMs, keep API keys separate and only use trusted endpoints; the skill does not manage credentials. 5) Consider using the human-in-the-loop mode (generate prompts and scripts but manually review/execute) rather than fully autonomous execution. If you want me to, I can: (a) scan the full repository for occurrences of subprocess/requests/os.system/eval/exec/network endpoints, or (b) point to specific lines/functions to review before running.Like a lobster shell, security has layers — review code before you run it.
latestvk977e8k81ad36c0kgs94265tj9848544
License
MIT-0
Free to use, modify, and redistribute. No attribution required.