Data Analyzer
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its data-analysis purpose, but its HTML report generation can embed untrusted spreadsheet or JSON values as executable HTML/JavaScript.
Install only if you are comfortable reviewing the included Python script and using it on selected local files. Avoid opening generated HTML reports from untrusted data until the report output is properly escaped, and do not fetch missing helper scripts from unverified sources.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you analyze untrusted data and open the generated HTML report in a browser, malicious content inside the data could run as script and potentially expose or alter report contents.
Values derived from the input data are inserted directly into generated HTML without escaping or templating protections, so a crafted CSV/Excel/JSON value could become active HTML or JavaScript when the report is opened.
html += f" <tr><td>{key}</td><td>{value}</td></tr>\n"Escape all data-derived HTML with a safe encoder such as `html.escape`, use an auto-escaping template engine, and treat HTML reports from untrusted input as unsafe until fixed.
The agent or user may try commands that fail, or may be tempted to fetch replacement scripts from outside the reviewed package.
The skill documentation references helper scripts that are not present in the supplied file manifest, which only includes `scripts/analyze_data.py`.
python scripts/analyze_sales.py ... python scripts/generate_charts.py ... python scripts/inventory_analysis.py ... python scripts/customer_analysis.py
Use only the included `scripts/analyze_data.py` unless the missing scripts are supplied by a trusted, reviewed update; the publisher should remove or include the referenced helpers.