by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Key things to check before installing or running this skill: 1) The skill expects a native CLI at ./scripts/MiniMaxXlsx but that binary is not included — ask the publisher where it comes from and request source or a vetted release. 2) scripts/recalc.py will write a LibreOffice macro into your home LibreOffice config (~/.config/libreoffice/... or macOS Library path). That can overwrite existing macros and gives the skill a persistent ability to run LibreOffice scripting on files — only allow this...详细分析 ▾
ℹ 用途与能力
The declared purpose (build xlsx deliverables, recalc formulas, validate structure, create pivots/charts) aligns with the provided code and docs: openpyxl/pandas usage and a recalculation step via LibreOffice are reasonable. However, the SKILL.md repeatedly references a native CLI binary at ./scripts/MiniMaxXlsx for many validation/pivot/chart operations but that binary is not present in the file manifest — a functional gap/incoherence. Either the binary is expected to be provided externally at runtime (not declared) or the skill is incomplete.
⚠ 指令范围
The runtime instructions instruct creating and writing a LibreOffice macro into the user's macro folder (~/.config/libreoffice/... or macOS Library path) via scripts/recalc.py. That modifies a persistent user configuration area and can overwrite existing macros. The SKILL.md does not declare or warn about modifying user config paths. The docs also mandate automatic chart creation and always-inserted cover sheets which may produce artifacts the user didn't explicitly request.
ℹ 安装机制
There is no external install spec (instruction-only), which lowers risk. But the skill assumes external tooling: 'soffice' (LibreOffice) and a local binary ./scripts/MiniMaxXlsx. soffice is a reasonable dependency for formula recalculation, but the missing CLI binary is an incoherence. No remote downloads are requested by the skill, which is good, but the scripts will invoke local commands whose presence is assumed.
⚠ 凭证需求
The skill declares no required environment variables or credentials, yet it writes to user home config paths and executes system binaries (soffice, timeout/gtimeout). Writing to the LibreOffice macro directory is persistent filesystem access not disclosed in the metadata. The lack of declared config path requirements is disproportionate to that behavior.
⚠ 持久化与权限
Although always:false, the skill's recalc.py will create or overwrite a macro file in the user's LibreOffice macro directory, producing a persistent change to the user's environment. That is a privileged side-effect (modifies user application config) and should be explicitly disclosed and permissioned; it currently is not.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/30
NULL
● Pending
安装命令
点击复制官方npx clawhub@latest install minimax-xlsx-pro
镜像加速npx clawhub@latest install minimax-xlsx-pro --registry https://cn.longxiaskill.com