Li_ETL_handle 安全扫描报告 — 低风险 | ClawSafe

15 /100

Li_ETL_handle

ETL 自动化处理技能 - Excel/CSV 文件读取、写入、清洗、转换、合并

Legitimate Excel ETL skill with documented security considerations (xlsx vulnerability, executeScript risk), no hidden malicious behavior detected.

技能名称Li_ETL_handle

分析耗时42.5s

引擎pi

✓

可以安装

This skill is safe for use with standard precautions: only process trusted Excel/CSV files, be cautious with executeScript() when passing custom functions, and consider upgrading xlsx package when available.

安全发现 2 项

严重性	安全发现	位置
中危	xlsx dependency has known vulnerabilities 供应链 The xlsx@^0.18.5 package has two documented vulnerabilities: Prototype Pollution (GHSA-4r6h-8v6p-xvw6) and ReDoS (GHSA-5pgg-2g8v-p4x9). This could affect processing of maliciously crafted Excel files. `"xlsx": "^0.18.5"` → Upgrade to xlsx@^0.19.0 or later when available. This is documented in SECURITY_AUDIT.md and mentioned in SKILL.md security notice.	`package.json:1`
低危	executeScript allows arbitrary function execution 代码执行 The executeScript function accepts and executes user-provided JavaScript functions. While this is declared in documentation, it requires user trust in the provided functions. `function executeScript(data, scriptFn) { ... scriptFn(row, index, data) }` → Use with caution. Only pass trusted functions to executeScript(). Documented in SKILL.md under ⚠️ Security Notice.	`index.js:640`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ+WRITE`	`READ+WRITE`	✓ 一致	readExcel/readCSV for READ, writeExcel/writeCSV for WRITE - documented in SKILL.…
网络访问	`NONE`	`NONE`	—	No HTTP/HTTPS requests in code; purely local file processing
命令执行	`NONE`	`NONE`	—	No child_process or shell execution found
环境变量	`NONE`	`NONE`	—	No os.environ iteration or secret harvesting
技能调用	`NONE`	`NONE`	—	No nested skill invocations
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database connections

14 项发现

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/li-excel-handle

README.md:158

🔗

中危外部 URL 外部 URL

http://mirrors.tencentyun.com/npm/adler-32/-/adler-32-1.3.1.tgz

package-lock.json:19

🔗

中危外部 URL 外部 URL

http://mirrors.tencentyun.com/npm/cfb/-/cfb-1.2.2.tgz

package-lock.json:28

🔗

中危外部 URL 外部 URL

http://mirrors.tencentyun.com/npm/codepage/-/codepage-1.15.0.tgz

package-lock.json:41

🔗

中危外部 URL 外部 URL

http://mirrors.tencentyun.com/npm/crc-32/-/crc-32-1.2.2.tgz

package-lock.json:50

🔗

中危外部 URL 外部 URL

http://mirrors.tencentyun.com/npm/csv-parser/-/csv-parser-3.2.0.tgz

package-lock.json:62

🔗

中危外部 URL 外部 URL

http://mirrors.tencentyun.com/npm/csv-stringify/-/csv-stringify-6.7.0.tgz

package-lock.json:74

🔗

中危外部 URL 外部 URL

http://mirrors.tencentyun.com/npm/frac/-/frac-1.1.2.tgz

package-lock.json:80

🔗

中危外部 URL 外部 URL

http://mirrors.tencentyun.com/npm/ssf/-/ssf-0.11.2.tgz

package-lock.json:89

🔗

中危外部 URL 外部 URL

http://mirrors.tencentyun.com/npm/wmf/-/wmf-1.0.2.tgz

package-lock.json:101

🔗

中危外部 URL 外部 URL

http://mirrors.tencentyun.com/npm/word/-/word-0.3.0.tgz

package-lock.json:110

🔗

中危外部 URL 外部 URL

http://mirrors.tencentyun.com/npm/xlsx/-/xlsx-0.18.5.tgz

package-lock.json:119

🔗

中危外部 URL 外部 URL

https://clawhub.com/skills/li-etl-handle

skill.yaml:49

📧

提示邮箱邮箱地址

[email protected]

tests/scenario.test.js:187

目录结构

16 文件 · 103.6 KB · 3578 行

JavaScript 4f · 2115L Markdown 7f · 1171L JSON 2f · 217L YAML 1f · 64L CSV 2f · 11L

├─ ▾ 📁 tests

│ ├─ ▾ 📁 scenarios

│ │ ├─ 📝 dataset_issues.md Markdown 43L · 1.2 KB

│ │ └─ 📄 scenario4_raw.csv CSV 4L · 168 B

│ ├─ ▾ 📁 temp

│ │ └─ 📄 test_convert.csv CSV 7L · 233 B

│ ├─ 📜 scenario.test.js JavaScript 384L · 14.1 KB

│ └─ 📜 unit.test.js JavaScript 613L · 19.5 KB

├─ 📝 CLAWHUB_SECURITY_CHECK.md Markdown 181L · 4.0 KB

├─ 📜 index.js JavaScript 1018L · 27.1 KB

├─ 📋 package-lock.json JSON 139L · 4.5 KB

├─ 📋 package.json JSON 78L · 2.1 KB

├─ 📝 README.md Markdown 281L · 6.9 KB

├─ 📝 SECURITY_AUDIT.md Markdown 118L · 3.0 KB

├─ 📝 SECURITY_FIXES.md Markdown 97L · 2.4 KB

├─ 📝 SKILL.md Markdown 230L · 7.8 KB

├─ 📋 skill.yaml YAML 64L · 1.7 KB

├─ 📝 TEST_REPORT.md Markdown 221L · 5.3 KB

└─ 📜 test.js JavaScript 100L · 3.8 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`xlsx`	`^0.18.5`	npm	是	Has vulnerabilities GHSA-4r6h-8v6p-xvw6 and GHSA-5pgg-2g8v-p4x9 - documented in security docs
`csv-parser`	`^3.0.0`	npm	否	Version not pinned (minor), standard package
`csv-stringify`	`^6.4.0`	npm	否	Version not pinned (minor), standard package

安全亮点

✓ No credential theft - does not access environment variables for API keys or secrets

✓ No C2 communication - no external network requests or data exfiltration

✓ No obfuscation - all code is readable and clear

✓ Complete documentation - SKILL.md lists all features accurately

✓ Comprehensive security documentation - SECURITY_AUDIT.md, CLAWHUB_SECURITY_CHECK.md, SECURITY_FIXES.md

✓ No sensitive path access - does not read ~/.ssh, ~/.aws, .env or similar files

✓ No reverse shell or RCE - no child_process execution

✓ Data masking functionality - maskSensitiveData() for PII protection

✓ Transparent about risks - known vulnerabilities documented