技能详情(站内镜像,无评论)
作者:Terry S Fisher @43622283
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.2
统计:⭐ 0 · 34 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:43622283/li-etl-handle-safe
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill's code and runtime instructions mostly match its stated Excel/CSV ETL purpose and do not perform network exfiltration or arbitrary code execution, but there are mismatches in how it claims to be configured and in its lockfile sources that warrant caution before installing or running it.
目的
Name/description (safe Excel/CSV ETL) aligns with the provided code: read/write CSV & XLSX, cleaning, transforms, merging. The code uses exceljs/csv libs and only performs local file I/O and in-memory transformations — consistent with purpose.
说明范围
SKILL.md and index.js instruct only local file reads/writes and transformations, and the code contains no eval/child_process/network calls. However SKILL.md and skill.yaml claim disable-model-invocation: true (skill should not be autonomously invoked) while the registry flags provided at the top indicate disable-model-invocation is false on the platform — a configuration mismatch that affects runtime behavior and security assumptions.
安装机制
There is no install spec (instruction-only) which is low risk, but the included package-lock.json contains many 'resolved' URLs pointing to a third-party/npm mirror (mirrors.tencentyun.com) over HTTP. This contradicts the skill's claim that dependencies come from the official HTTPS npm registry and could be a supply-chain / integrity concern if packages are installed using that lockfile.
证书
The skill requests no environment variables, no credentials, and accesses only local file system paths provided to its functions. This is proportionate to an ETL utility.
持久
The skill's manifest (skill.yaml and SKILL.md) claim disable-model-invocation: true, but the registry/platform metadata shows disable-model-invocation: false (default). Because autonomous invocation is allowed by the platform as provided, the skill could be invoked automatically unless platform configuration prevents it — this mismatch should be resolved. always: false (good).
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Li Etl Handle Safe」。简介:安全处理Excel和CSV文件,支持读取、写入、清洗、转换和合并数据,禁止任意代码执行,保障数据安全。。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/43622283/li-etl-handle-safe/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。