ClawHub

Automate Excel

Security checks across malware telemetry and agentic risk

Overview

This is a local Excel/CSV automation skill whose file access and spreadsheet-writing behavior match its stated purpose, with ordinary overwrite risks users should manage.

Before installing, be aware that this skill can read and write local spreadsheets. Use explicit --output paths where possible, keep backups for important workbooks, and be especially careful with renaming or formatting scripts that may overwrite the original file if no output path is supplied.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill advertises very broad activation criteria such as any spreadsheet, Excel, CSV conversion, batch processing, or report generation request. That can cause the agent to invoke a file-reading and file-writing capability in situations where the user did not clearly request filesystem operations, increasing the chance of unintended access or modification of local data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill gives detailed instructions for creating, appending to, and saving Excel files, including overwriting existing workbooks, but does not prominently warn about destructive changes. In an agent setting, this raises the risk of accidental data loss, corruption of important spreadsheets, or silent overwrites if the user’s intent is ambiguous.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script saves back to the input file when --output is not provided, creating destructive behavior that can overwrite the original workbook without an explicit confirmation step or safer default. In an automation skill that processes user-supplied spreadsheets, this raises the risk of accidental data loss, especially if sheet renaming is performed in batch jobs or with incorrect parameters.

Unpinned Dependencies

Low
Category
Supply Chain
Content
openpyxl>=3.1.0
pandas>=2.0.0
xlrd>=2.0.0
Confidence
96% confidence
Finding
openpyxl>=3.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openpyxl>=3.1.0
pandas>=2.0.0
xlrd>=2.0.0
Confidence
96% confidence
Finding
pandas>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openpyxl>=3.1.0
pandas>=2.0.0
xlrd>=2.0.0
Confidence
96% confidence
Finding
xlrd>=2.0.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal