ClawHub

Excel Master

Security checks across malware telemetry and agentic risk

Overview

This Excel helper reads and analyzes user-named spreadsheets and only writes back on an explicit save command, with no evidence of hidden network, credential, or background behavior.

Install only if you are comfortable letting the skill read spreadsheet files you name and show their contents in the agent conversation. Confirm the target file before using save, because it writes back to the opened workbook. Do not rely on advertised chart, PDF export, sheet switching, or AI-analysis features until the publisher implements and documents them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The invocation phrase "打开excel 文件路径.xlsx" is overly broad and underspecified, which can cause the agent to trigger on ambiguous user input and operate on arbitrary local files without clear confirmation or constraints. In a file-manipulation skill, this increases the risk of unintended access, modification, or disclosure of sensitive spreadsheets if the agent guesses the wrong target or acts without sufficient user intent validation.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill advertises saving Excel files and exporting PDFs but provides no warning that these actions will modify existing files or create new output artifacts. In an agent setting, this can lead to unintended overwrites, data loss, or silent file creation in sensitive directories because users are not prompted to confirm destructive or state-changing operations.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill claims to perform AI-based table analysis without disclosing how workbook data is handled, whether data leaves the local environment, or what privacy boundaries apply. If connected to external models or services, sensitive spreadsheet contents could be transmitted or retained without user awareness, creating confidentiality and compliance risks.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal