excel-parser
ReviewAudited by ClawScan on May 10, 2026.
Overview
The Excel parsing purpose is coherent, but the skill can automatically run pip installs for third-party packages at runtime without an explicit install spec.
Only use this skill if you are comfortable with it potentially installing Python packages. Safer use would be inside a virtual environment with dependencies preinstalled and pinned. There is no evidence of exfiltration or destructive behavior in the provided artifacts, but the runtime package installation behavior should be reviewed first.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may download and install Python packages before parsing a spreadsheet, potentially changing the user's environment without a separate approval step.
Creating the parser can run a local pip install command when a dependency is missing. That can execute package installation logic and modify the Python environment, while the registry declares no install spec.
subprocess.check_call([sys.executable, "-m", "pip", "install", package]) ... if install_dependency("python-calamine"):Remove automatic runtime installation or require explicit user approval. Prefer a declared install spec, pinned dependency versions, and clear setup instructions.
A future or environment-specific dependency version could be installed instead of a reviewed one.
The dependencies are not version-pinned. Because the script can install missing packages automatically, the exact third-party code installed is not fixed by the artifact.
python-dotenv python-calamine
Pin dependency versions, provide hashes or a lockfile where possible, and avoid runtime dependency installation from unconstrained package names.