ClawHub

excel-parser

Security checks across malware telemetry and agentic risk

Overview

The skill appears to parse Excel files as advertised, but it can automatically install Python packages while running, which may change the user's environment without a clear approval step.

Review before installing. This skill is best used in an isolated virtual environment with dependencies preinstalled and pinned. Avoid letting it run automatic pip installs in a shared or sensitive Python environment, and treat Excel files as potentially untrusted input.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import subprocess
    print(f"正在安装依赖: {package}")
    try:
        subprocess.check_call([sys.executable, "-m", "pip", "install", package])
        print(f"依赖 {package} 安装成功")
        return True
    except subprocess.CalledProcessError as e:
Confidence
97% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", package])

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The README advertises automatic dependency installation as a feature even though Excel parsing does not inherently require modifying the host environment at runtime. In an agent/skill context, this increases risk because processing an untrusted file could trigger package installation or other environment changes, expanding the attack surface and violating least-privilege expectations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
A file-parsing skill should not silently install packages as part of processing input. Doing so allows unreviewed code to be fetched and executed in the runtime environment, expanding the trust boundary from local file parsing to network-based package acquisition and package-install side effects.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
Loading `.env` values in an Excel parser is unnecessary for the stated functionality and broadens access to secrets/configuration that the code does not need. Even though this file does not directly exfiltrate environment data, unnecessary secret loading increases the blast radius if the skill is later extended, logged, or combined with other components.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill metadata says it uses calamine, but the implementation silently falls back to `xlrd` and `openpyxl`, and may auto-install them. This mismatch reduces transparency, changes the runtime trust and attack surface, and can defeat operator assumptions about which libraries are permitted in the environment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Describing automatic dependency installation without prominently warning that it changes the system is unsafe, especially for agent-executed skills where users may expect read-only file parsing. Silent or unexpected package installation can lead to integrity, supply-chain, and policy-compliance issues if packages are fetched from external sources during normal operation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The description says users should always use this skill for a very broad set of Excel-related tasks, which can cause over-triggering and unnecessary access to user-provided files. In an agent environment, overly broad activation increases the chance that the skill handles requests outside its minimal intended scope, expanding data exposure and making downstream misuse easier.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill metadata and instructions are Chinese-only and do not indicate language negotiation or preserving the user's language preference. This can lead to incorrect or confusing behavior, and in security-sensitive workflows may cause users to misunderstand what data is being processed or what the skill is doing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Automatic package installation without user confirmation or deployment-time approval changes the host system as a side effect of parsing a document. In agent environments this is especially dangerous because a seemingly harmless content-extraction request can trigger outbound network access, package resolution, installation scripts, and persistent environment modification.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide explicitly recommends a non-interactive install mode using `--yes`, which suppresses confirmation prompts that may serve as a last safety check before installing remote skill content. In the context of an agent skill ecosystem where users may install directly from GitHub, normalizing prompt-skipping increases the chance of accidental installation of unreviewed or tampered content, especially in CI/CD where human review is absent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The publication instructions tell users to create an 'Entire account' PyPI API token and store it in GitHub Secrets, but provide no warning about the sensitivity of that credential or the risks of broad-scope tokens. If the repository or CI workflow is compromised, such a token could be abused to publish malicious packages or overwrite trusted releases, creating a software supply-chain risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv
python-calamine
Confidence
96% confidence
Finding
python-dotenv

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv
python-calamine
Confidence
95% confidence
Finding
python-calamine

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
86% confidence
Finding
python-dotenv

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal