技能详情(站内镜像,无评论)
作者:Terry S Fisher @43622283
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.1
统计:⭐ 0 · 32 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :可疑 · OpenClaw :可疑
Package:43622283/li-etl-handle
安全扫描(ClawHub)
- VirusTotal :可疑
- OpenClaw :可疑
OpenClaw 评估
The skill appears to implement the advertised Excel/CSV ETL features and its dependencies align with that purpose, but it includes an executeScript entrypoint (arbitrary JS execution) and a known-vulnerable xlsx dependency plus a package-lock that references a non-standard registry mirror — these increase risk and merit caution before installing or allowing autonomous use.
目的
Name/description match the actual code and files: index.js implements read/write/clean/transform/merge for .xlsx/.xls/.csv and depends on xlsx, csv-parser, csv-stringify — these are coherent and expected for an Excel ETL skill.
说明范围
SKILL.md and the code provide executeScript / JavaScript script support which intentionally allows executing user-provided JS to transform rows. While this is a documented feature of the skill, it grants the skill (and any caller that can invoke it) ability to run arbitrary code in the host process with full filesystem and process access unless you sandbox it. The doc warns about this but does not define a runtime sandbox or limits; that lack …
安装机制
There is no platform install spec (instruction-only), which minimizes automatic installs by the platform. However the package.json/package-lock declare dependencies and package-lock resolves packages from a mirror (mirrors.tencentyun.com) via HTTP; installing these packages would fetch third-party code. The xlsx dependency is a known-vulnerable version according to the included audit notes.
证书
The skill declares no required environment variables, credentials, or privileged config paths. The code operates on local files and does not attempt to read environment secrets or external credentials, which is proportionate to an ETL utility.
持久
always:false (good) but disable-model-invocation:false (default) means the agent may autonomously invoke the skill. Combined with executeScript (arbitrary JS execution) this increases blast radius: an autonomous agent could pass scripts that access files or environment. The skill does not modify other skills or system settings, but the autonomous-call + executeScript combination is a notable risk.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Li ETL Handle」。简介:Node.js-based Excel automation for reading, writing, cleaning, transforming, me…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/43622283/li-etl-handle/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。