Fund Weekly Report
v1.8.3基金周报生成。根据Excel数据自动生成基金周报Word文档。支持主动权益、固定收益、指数基金、FOF、QDII、REITs等各类基金的周度表现分析。
⭐ 0· 215·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the artifacts: scripts and references focus on extracting Excel sheets and producing Word reports. Declared deps (pandas, python-docx, openpyxl) and template usage match the stated functionality. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to read user-provided Excel files (chat upload or local path) and write a Word file in the user's working directory, and it explicitly claims no network requests and no access to sensitive system dirs. That scope is coherent for the task, but because the package includes executable Python scripts, the actual behavior depends on those scripts — e.g., reading arbitrary local file paths or failing to enforce the stated directory restrictions would be a risk. The instructions rely on the user to supply only .xls/.xlsx inputs, which is reasonable but requires trust that the code enforces extension/validation checks.
Install Mechanism
There is no install spec in the registry, but SKILL.md tells users to pip install pandas, python-docx, openpyxl. Using PyPI packages is standard for this task; it does mean installing third‑party packages (supply‑chain risk). No unusual download URLs or archive extraction steps are present in the metadata.
Credentials
The skill does not request environment variables, credentials, or config paths. That is proportionate given the described functionality (local Excel->Word processing).
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It is user-invocable and allows autonomous invocation (platform default), which is normal for skills of this type.
Assessment
This skill is coherent with its purpose, but it includes executable Python scripts and asks you to pip-install packages. Before using it: (1) inspect the actual scripts (read_excel.py and the generate_*.py files) to confirm there are no network calls, subprocess executions, or code paths that read arbitrary filesystem locations beyond the uploaded Excel files; (2) only provide the required .xls/.xlsx files and a trusted .docx template; (3) run the skill in an isolated environment (container or VM) the first time; (4) install dependencies in a virtualenv so packages don't affect your system Python; (5) if you need stronger assurance, run static analysis (search for requests, urllib, socket, subprocess, os.system, open with absolute paths) or ask the author for a provenance / source repository and changelog. If you find the scripts making unexpected network calls or reading system files, do not run them with sensitive data or system-wide privileges.Like a lobster shell, security has layers — review code before you run it.
latestvk975qwkhrja4dfgvy6ewn1ynvd830b1t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.