Back to skill
Skillv0.1.3
ClawScan security
Automate Excel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 5:25 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and required packages match its stated purpose (Excel read/write/transform) and do not request unrelated credentials or network endpoints.
- Guidance
- This package appears coherent and implements only local Excel/CSV processing. Before installing: (1) review the included scripts if you want to confirm behavior (they are human-readable Python); (2) install dependencies inside a virtualenv to avoid affecting system Python; (3) only run the scripts on files you trust or control (they read and write local files and will create outputs in the working directory); (4) note the test-data generator (_make_test_data.py) changes the current directory and writes files under scripts/_test_out if you run it. If you need the agent to run this skill automatically, remember it can execute these scripts on any file you point it at — grant access only to data you intend to process.
Review Dimensions
- Purpose & Capability
- okName/description describe Excel automation and every included script (merge, filter, csv<>xlsx, template fill, validate, etc.) implements those behaviors. No unrelated binaries, env vars, or credentials are requested.
- Instruction Scope
- okSKILL.md and examples only instruct reading/writing local spreadsheet files and running included scripts; they do not instruct reading arbitrary system files, contacting external endpoints, or accessing credentials beyond the local filesystem.
- Install Mechanism
- okThere is no automatic install spec; user is instructed to pip install dependencies (requirements.txt includes openpyxl, pandas, xlrd). This is expected and proportional for a Python-based Excel utility; no downloads from unknown URLs or archive extraction are present.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. All scripts operate on files provided by the user and standard Python libs; requested packages align with the functionality.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated persistence. It contains scripts intended to be run locally and does not modify other skills or system-wide agent settings.