ClawHub
Back to skill
v1.0.0

BOM Compare Tool

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:13 AM.

Analysis

This skill appears aligned with comparing BOM spreadsheet files, with only minor notes about local file access and an undeclared spreadsheet dependency.

GuidanceThis appears safe for its stated purpose. Before installing or using it, confirm the spreadsheet dependency source and only provide BOM files you are comfortable having parsed and included in the comparison report.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
compare.js
const content = fs.readFileSync(filePath, 'utf8'); ... const wb = xlsx.readFile(filePath);

The tool reads local files supplied by path, which is necessary for comparing BOM documents but means the user should control which files are provided.

User impactThe skill can read and summarize the contents of BOM files you point it at, including potentially sensitive part, quantity, specification, or price information.
RecommendationUse it only with BOM files you intend to compare, and review the generated report before sharing it outside your organization.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
compare.js
const xlsx = require('xlsx');

The code depends on the external xlsx package, while the provided artifacts include no install spec, package manifest, or pinned dependency version.

User impactThe skill may require an external spreadsheet library to run, and the reviewed artifacts do not define exactly which version should be used.
RecommendationInstall the xlsx dependency from a trusted source and consider pinning a known-good version before using the tool.