excel-ai-analyzer Security Report — Trusted | ClawSafe

5 /100

excel-ai-analyzer

智能 Excel 数据分析技能 - 自动分析、统计、报告生成

This is a clean, legitimate Excel analysis skill with no malicious indicators. All functionality is declared in SKILL.md, code is readable with no obfuscation, and no sensitive resource access is performed.

Skill Nameexcel-ai-analyzer

Duration29.2s

Enginepi

✓

Safe to install

This skill is safe to use. Optionally pin the xlsx dependency to a specific version for reproducibility.

Findings 1 items

Severity	Finding	Location
Low	Dependency version not pinned Supply Chain xlsx dependency uses caret range ^0.18.5 instead of exact version `"xlsx": "^0.18.5"` → Pin to exact version (0.18.5) for reproducible builds	`package.json:15`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	index.js:14 - fs.existsSync and XLSX.readFile for Excel parsing
Network	`NONE`	`NONE`	—	No network requests found
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Environment	`NONE`	`NONE`	—	No environment variable access found
Skill Invoke	`EXECUTE`	`EXECUTE`	✓ Aligned	index.js:180 - module.exports.execute()

9 findings

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/adler-32/-/adler-32-1.3.1.tgz

package-lock.json:17

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cfb/-/cfb-1.2.2.tgz

package-lock.json:26

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/codepage/-/codepage-1.15.0.tgz

package-lock.json:39

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/crc-32/-/crc-32-1.2.2.tgz

package-lock.json:48

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/frac/-/frac-1.1.2.tgz

package-lock.json:60

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ssf/-/ssf-0.11.2.tgz

package-lock.json:69

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/wmf/-/wmf-1.0.2.tgz

package-lock.json:81

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/word/-/word-0.3.0.tgz

package-lock.json:90

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/xlsx/-/xlsx-0.18.5.tgz

package-lock.json:99

File Tree

8 files · 20.2 KB · 763 lines

JavaScript 2f · 356L Markdown 4f · 267L JSON 2f · 140L

├─ 📜 index.js JavaScript 256L · 7.5 KB

├─ 📋 package-lock.json JSON 119L · 3.7 KB

├─ 📋 package.json JSON 21L · 394 B

├─ 📝 PUBLISH_CHECKLIST.md Markdown 84L · 1.7 KB

├─ 📝 README.md Markdown 87L · 1.7 KB

├─ 📝 SKILL.md Markdown 47L · 1006 B

├─ 📝 test-report.md Markdown 49L · 1.1 KB

└─ 📜 test.js JavaScript 100L · 3.2 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`xlsx`	`0.18.5`	npm	No	Caret range ^0.18.5 - recommend exact pin

Security Positives

✓ All functionality explicitly declared in SKILL.md - no hidden behavior

✓ No network requests, shell execution, or credential access

✓ Clean, readable code with no obfuscation or base64 encoding

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ Standard xlsx library for Excel parsing - well-known, audited dependency

✓ No C2 communication, reverse shells, or data exfiltration

✓ Only legitimate filesystem:READ for file path operations

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives