Back to skill
Skillv1.0.0
ClawScan security
数据处理脚本生成器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 2, 2026, 3:51 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Instruction-only skill that asks for user-provided Excel/CSV samples and describes generating Python data-processing scripts; its requirements and instructions are consistent with that purpose.
- Guidance
- This skill is instruction-only and appears coherent, but before using it: (1) only supply the actual Excel/ERP sample files needed — review them for sensitive information or PII before sending; (2) review any generated Python code before running it (look for hardcoded paths, destructive file operations, or network calls); (3) run generated scripts in a safe environment (virtualenv or sandbox) and verify outputs on non-production data; (4) if you later want the script to run automatically against shared/network locations, consider what credentials or network access will be needed and manage them securely.
Review Dimensions
- Purpose & Capability
- okName/description (generate data-processing scripts from Excel+ERP exports) matches the SKILL.md: it requests sample files, mapping rules, paths and then generates Python scripts. No unrelated credentials, binaries, or installs are requested.
- Instruction Scope
- okInstructions explicitly operate on files the user must provide (Excel templates, ERP export samples) and on user-confirmed filesystem paths; they do not instruct reading unrelated system files, environment variables, or exfiltrating data. Example hardcoded paths are present in the doc as examples — the skill asks the user to confirm/change them.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This is lowest-risk for installation because nothing is downloaded or written by an installer.
- Credentials
- okNo environment variables, credentials, or config paths are required. The only requested inputs are user-supplied files and path conventions, which match the described functionality.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request persistent or elevated agent-wide privileges. Autonomous invocation is allowed by platform default but not combined with other red flags.