ClawHub

Data Analyzer

v1.0.1

Data analysis and visualization skill for CSV, Excel, and JSON data. Use when analyzing sales data, creating reports, generating charts, or processing e-comm...

0· 406·3 current·3 all-time
byYinanping@yinanping-cpu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims multiple scripts and e-commerce-specific analyses (analyze_sales.py, generate_charts.py, inventory_analysis.py, customer_analysis.py) and many features, but the bundle only contains a single script (scripts/analyze_data.py). No homepage or source repository is provided and the owner identity is opaque. The declared metadata lists no required env vars or binaries, yet SKILL.md refers to pandas/matplotlib as required packages. These gaps make the stated purpose and the delivered capability inconsistent.
!
Instruction Scope
SKILL.md contains runnable examples that invoke several scripts that do not exist in the package; following those examples would fail or cause the agent to search for/attempt to fetch missing files. The instructions also advise installing Python packages (pandas, matplotlib) but there is no controlled install mechanism declared. The instructions do not request any credentials or external endpoints for data exfiltration, and the included analyze_data.py performs only local file I/O and report generation (no network calls).
Install Mechanism
No install specification is present in the registry metadata (lowest risk), but README suggests 'npx clawhub install yinan-data-analyzer' as a user command. The lack of an official install spec in the registry means installations are not reproducibly declared. Missing declared package dependencies (pandas/matplotlib) could lead to ad-hoc pip installs by users or the agent.
Credentials
The skill requests no environment variables, credentials, or config paths — which is proportionate for a local data-processing tool. The included Python script also does not read environment variables or network endpoints. This is appropriate given the claimed functionality.
Persistence & Privilege
The skill does not request elevated persistence (always:false) and the default autonomous invocation is unchanged. It does not attempt to modify other skills or system configuration. No persistence-related red flags were found.
What to consider before installing
Proceed cautiously. The single provided script (scripts/analyze_data.py) appears benign and only reads local files and writes reports, but the documentation advertises many additional scripts and features that are missing and there is no homepage or repository to verify provenance. Before installing or running: (1) ask the publisher for the missing scripts/source repo and verify authenticity; (2) review the code locally (especially for any network access) and run it in an isolated environment or VM on non-sensitive data; (3) avoid giving any credentials — none are required; (4) be prepared to manually install pandas/matplotlib if you need full functionality; and (5) if you expect the extra e-commerce scripts, do not trust this package until the author supplies the actual files or a verified source. If you are uncomfortable with unknown provenance or missing files, do not install or enable autonomous invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk976h6q579gkea66y1y03gegj582f5er

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments