ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

BOM Compare Tool

v1.0.0

BOM物料清单对比工具 | 对比两个版本的BOM差异,自动识别新增、删除、变更的物料项

0· 88·0 current·0 all-time
by@yongjie666888
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (BOM comparison) align with the included code and SKILL.md. compare.js parses CSV/XLSX, builds indexes by part number, and reports added/removed/changed items — exactly what the skill claims. There are no unrelated credentials, binaries, or external services required by the described functionality.
Instruction Scope
SKILL.md stays on-topic (how to use the tool, expected output). The runtime code reads user-supplied file paths from disk (expected for a CLI tool). One minor scope note: SKILL.md and metadata do not mention the runtime dependency on the Node 'xlsx' package or Node itself, so the agent/user must ensure those are present; otherwise the script will fail.
Install Mechanism
There is no install spec (instruction-only), which reduces install risk. However, the code requires the npm module 'xlsx' (require('xlsx')) but the package/dependency is not declared or installed by the skill; this is a usability/packaging omission rather than a security issue.
Credentials
The skill requests no environment variables, credentials, or config paths. The code operates only on files provided by the user and does not access external endpoints, secrets, or unrelated system config.
Persistence & Privilege
The skill does not request persistent presence (always is false), does not modify other skills or system-wide settings, and does not persist credentials. It only reads input files and prints a report.
Assessment
This skill appears coherent and limited to comparing BOM files. Before installing/running: (1) ensure you run it where Node and the 'xlsx' npm package are installed (the skill does not provide an install step), (2) only provide BOM files you trust (the script reads arbitrary file paths you pass to it), and (3) if you need to run it in an automated agent, confirm the runtime has no network access or unnecessary privileges if you want to minimize risk. If you want higher assurance, review the compare.js source (already included) or run it in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk9775ymrcrnfgjfwekhq080rn583htf4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments