Li_ETL_handle Security Report — Low Risk | ClawSafe

15 /100

Li_ETL_handle

ETL 自动化处理技能 - Excel/CSV 文件读取、写入、清洗、转换、合并

Legitimate Excel ETL skill with documented security considerations (xlsx vulnerability, executeScript risk), no hidden malicious behavior detected.

Skill NameLi_ETL_handle

Duration42.5s

Enginepi

✓

Safe to install

This skill is safe for use with standard precautions: only process trusted Excel/CSV files, be cautious with executeScript() when passing custom functions, and consider upgrading xlsx package when available.

Findings 2 items

Severity	Finding	Location
Medium	xlsx dependency has known vulnerabilities Supply Chain The xlsx@^0.18.5 package has two documented vulnerabilities: Prototype Pollution (GHSA-4r6h-8v6p-xvw6) and ReDoS (GHSA-5pgg-2g8v-p4x9). This could affect processing of maliciously crafted Excel files. `"xlsx": "^0.18.5"` → Upgrade to xlsx@^0.19.0 or later when available. This is documented in SECURITY_AUDIT.md and mentioned in SKILL.md security notice.	`package.json:1`
Low	executeScript allows arbitrary function execution RCE The executeScript function accepts and executes user-provided JavaScript functions. While this is declared in documentation, it requires user trust in the provided functions. `function executeScript(data, scriptFn) { ... scriptFn(row, index, data) }` → Use with caution. Only pass trusted functions to executeScript(). Documented in SKILL.md under ⚠️ Security Notice.	`index.js:640`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ+WRITE`	`READ+WRITE`	✓ Aligned	readExcel/readCSV for READ, writeExcel/writeCSV for WRITE - documented in SKILL.…
Network	`NONE`	`NONE`	—	No HTTP/HTTPS requests in code; purely local file processing
Shell	`NONE`	`NONE`	—	No child_process or shell execution found
Environment	`NONE`	`NONE`	—	No os.environ iteration or secret harvesting
Skill Invoke	`NONE`	`NONE`	—	No nested skill invocations
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database connections

14 findings

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/li-excel-handle

README.md:158

🔗

Medium External URL 外部 URL

http://mirrors.tencentyun.com/npm/adler-32/-/adler-32-1.3.1.tgz

package-lock.json:19

🔗

Medium External URL 外部 URL

http://mirrors.tencentyun.com/npm/cfb/-/cfb-1.2.2.tgz

package-lock.json:28

🔗

Medium External URL 外部 URL

http://mirrors.tencentyun.com/npm/codepage/-/codepage-1.15.0.tgz

package-lock.json:41

🔗

Medium External URL 外部 URL

http://mirrors.tencentyun.com/npm/crc-32/-/crc-32-1.2.2.tgz

package-lock.json:50

🔗

Medium External URL 外部 URL

http://mirrors.tencentyun.com/npm/csv-parser/-/csv-parser-3.2.0.tgz

package-lock.json:62

🔗

Medium External URL 外部 URL

http://mirrors.tencentyun.com/npm/csv-stringify/-/csv-stringify-6.7.0.tgz

package-lock.json:74

🔗

Medium External URL 外部 URL

http://mirrors.tencentyun.com/npm/frac/-/frac-1.1.2.tgz

package-lock.json:80

🔗

Medium External URL 外部 URL

http://mirrors.tencentyun.com/npm/ssf/-/ssf-0.11.2.tgz

package-lock.json:89

🔗

Medium External URL 外部 URL

http://mirrors.tencentyun.com/npm/wmf/-/wmf-1.0.2.tgz

package-lock.json:101

🔗

Medium External URL 外部 URL

http://mirrors.tencentyun.com/npm/word/-/word-0.3.0.tgz

package-lock.json:110

🔗

Medium External URL 外部 URL

http://mirrors.tencentyun.com/npm/xlsx/-/xlsx-0.18.5.tgz

package-lock.json:119

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/li-etl-handle

skill.yaml:49

📧

Info Email 邮箱地址

[email protected]

tests/scenario.test.js:187

File Tree

16 files · 103.6 KB · 3578 lines

JavaScript 4f · 2115L Markdown 7f · 1171L JSON 2f · 217L YAML 1f · 64L CSV 2f · 11L

├─ ▾ 📁 tests

│ ├─ ▾ 📁 scenarios

│ │ ├─ 📝 dataset_issues.md Markdown 43L · 1.2 KB

│ │ └─ 📄 scenario4_raw.csv CSV 4L · 168 B

│ ├─ ▾ 📁 temp

│ │ └─ 📄 test_convert.csv CSV 7L · 233 B

│ ├─ 📜 scenario.test.js JavaScript 384L · 14.1 KB

│ └─ 📜 unit.test.js JavaScript 613L · 19.5 KB

├─ 📝 CLAWHUB_SECURITY_CHECK.md Markdown 181L · 4.0 KB

├─ 📜 index.js JavaScript 1018L · 27.1 KB

├─ 📋 package-lock.json JSON 139L · 4.5 KB

├─ 📋 package.json JSON 78L · 2.1 KB

├─ 📝 README.md Markdown 281L · 6.9 KB

├─ 📝 SECURITY_AUDIT.md Markdown 118L · 3.0 KB

├─ 📝 SECURITY_FIXES.md Markdown 97L · 2.4 KB

├─ 📝 SKILL.md Markdown 230L · 7.8 KB

├─ 📋 skill.yaml YAML 64L · 1.7 KB

├─ 📝 TEST_REPORT.md Markdown 221L · 5.3 KB

└─ 📜 test.js JavaScript 100L · 3.8 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`xlsx`	`^0.18.5`	npm	Yes	Has vulnerabilities GHSA-4r6h-8v6p-xvw6 and GHSA-5pgg-2g8v-p4x9 - documented in security docs
`csv-parser`	`^3.0.0`	npm	No	Version not pinned (minor), standard package
`csv-stringify`	`^6.4.0`	npm	No	Version not pinned (minor), standard package

Security Positives

✓ No credential theft - does not access environment variables for API keys or secrets

✓ No C2 communication - no external network requests or data exfiltration

✓ No obfuscation - all code is readable and clear

✓ Complete documentation - SKILL.md lists all features accurately

✓ Comprehensive security documentation - SECURITY_AUDIT.md, CLAWHUB_SECURITY_CHECK.md, SECURITY_FIXES.md

✓ No sensitive path access - does not read ~/.ssh, ~/.aws, .env or similar files

✓ No reverse shell or RCE - no child_process execution

✓ Data masking functionality - maskSensitiveData() for PII protection

✓ Transparent about risks - known vulnerabilities documented

Scan Report

Findings 2 items

File Tree

Dependencies 3 items

Security Positives