← Back to Skills Marketplace

Li Etl Handle Safe

Name: Li Etl Handle Safe
Author: 43622283

by Terry S Fisher · GitHub ↗ · v1.0.2 · MIT-0

cross-platform ⚠ suspicious

266

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install li-etl-handle-safe

Description

安全处理Excel和CSV文件，支持读取、写入、清洗、转换和合并数据，禁止任意代码执行，保障数据安全。

README (SKILL.md)

li-etl-handle-safe - 安全版 Excel/CSV ETL 处理技能

功能描述

安全的 Excel/CSV 文件处理技能，支持读取、写入、清洗、转换和合并表格数据。本版本已移除任意代码执行功能，使用安全的 exceljs 库替代有漏洞的 xlsx 库。

版本

v1.0.2 - 修复 CSV 解析和 Excel 写入问题，完善功能测试

支持格式

.xlsx - Excel 2007+
.xls - Excel 97-2003（通过转换）
.csv - CSV 文本文件

功能列表

读取表格

readExcel(filePath, options) - 读取 Excel 文件
readCSV(filePath, options) - 读取 CSV 文件

写入表格

writeExcel(filePath, data, options) - 写入 Excel 文件
writeCSV(filePath, data, options) - 写入 CSV 文件

数据清洗

cleanData(data, rules) - 根据规则清洗数据
removeEmptyRows(data) - 删除空行
removeDuplicates(data, columns) - 删除重复行

数据转换

transformColumns(data, transforms) - 转换列数据（支持类型转换、格式化等预设操作）
filterRows(data, conditions) - 按条件过滤行
sortData(data, sortColumns) - 排序数据

数据合并

mergeFiles(filePaths, options) - 合并多个文件
appendRows(targetData, sourceData) - 追加行数据

安全特性

✅ 无任意代码执行 - 移除了 executeScript 功能 ✅ 安全依赖 - 使用 exceljs 替代有漏洞的 xlsx 库 ✅ 官方源 - 所有依赖来自官方 HTTPS npm registry ✅ 禁止自主调用 - disable-model-invocation: true

使用示例

// 读取 Excel
const data = await readExcel('/path/to/file.xlsx', { sheet: 0 });

// 清洗数据
const cleaned = await cleanData(data, { trim: true, removeEmpty: true });

// 转换列类型
const transformed = await transformColumns(cleaned, {
  columns: { price: 'number', date: 'datetime' }
});

// 写入 CSV
await writeCSV('/path/to/output.csv', transformed);

注意事项

所有文件操作均在本地进行
不支持执行自定义 JavaScript 代码（安全考虑）
大文件建议分批处理

Usage Guidance

What to check before installing or running this skill: - Resolve the disable-model-invocation mismatch: SKILL.md/skill.yaml claim the skill should not be autonomously invoked, but the platform metadata shows disable-model-invocation is not set. If you need the skill prevented from autonomous runs, enforce it in the platform before enabling. - Verify package sources before installing: the included package-lock.json lists package tarballs from a non-official HTTP mirror (mirrors.tencentyun.com). Prefer installing from the official npm registry (HTTPS) and/or regenerate the lockfile on a trusted machine to ensure package integrity. - Review the package.json and lockfile locally (or run npm audit) if you plan to install dependencies — the code itself has no network calls, but transitive dependencies may have known vulnerabilities. - The code performs local file I/O and will create directories/files where given — run it on test data first and avoid giving it sensitive system paths. - Note the implementation bug in cleanData (it builds cleanedRow but doesn't use it) — this is a functionality issue, not a security problem, but you may want fixes before production use. If you cannot verify the lockfile and the platform invocation setting, treat the skill as untrusted until those inconsistencies are resolved.

Capability Analysis

Type: OpenClaw Skill Name: li-etl-handle-safe Version: 1.0.2 The skill `li-etl-handle-safe` provides ETL operations for Excel and CSV files but lacks path sanitization in `index.js`, creating a Path Traversal vulnerability in functions like `readExcel`, `readCSV`, and `writeCSV`. While the skill claims to be a 'safe' version and lacks explicit malicious intent, the broad file system access is a high-risk capability that fits the criteria for a suspicious classification. Additionally, `package-lock.json` indicates the use of an unencrypted third-party mirror (http://mirrors.tencentyun.com).

Capability Assessment

✓ Purpose & Capability

Name/description (safe Excel/CSV ETL) aligns with the provided code: read/write CSV & XLSX, cleaning, transforms, merging. The code uses exceljs/csv libs and only performs local file I/O and in-memory transformations — consistent with purpose.

ℹ Instruction Scope

SKILL.md and index.js instruct only local file reads/writes and transformations, and the code contains no eval/child_process/network calls. However SKILL.md and skill.yaml claim disable-model-invocation: true (skill should not be autonomously invoked) while the registry flags provided at the top indicate disable-model-invocation is false on the platform — a configuration mismatch that affects runtime behavior and security assumptions.

⚠ Install Mechanism

There is no install spec (instruction-only) which is low risk, but the included package-lock.json contains many 'resolved' URLs pointing to a third-party/npm mirror (mirrors.tencentyun.com) over HTTP. This contradicts the skill's claim that dependencies come from the official HTTPS npm registry and could be a supply-chain / integrity concern if packages are installed using that lockfile.

✓ Credentials

The skill requests no environment variables, no credentials, and accesses only local file system paths provided to its functions. This is proportionate to an ETL utility.

⚠ Persistence & Privilege

The skill's manifest (skill.yaml and SKILL.md) claim disable-model-invocation: true, but the registry/platform metadata shows disable-model-invocation: false (default). Because autonomous invocation is allowed by the platform as provided, the skill could be invoked automatically unless platform configuration prevents it — this mismatch should be resolved. always: false (good).

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install li-etl-handle-safe
After installation, invoke the skill by name or use /li-etl-handle-safe
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.2

li-etl-handle-safe v1.0.2 - Fixed issues with CSV parsing and Excel file writing. - Improved and expanded functional tests. - Updated documentation to reflect bug fixes and test improvements.

v1.0.1

- Added initial test files: test.js, test-data.csv, and test-output.csv for automated and sample data testing. - Included package-lock.json for dependency tracking and reproducibility. - Made updates to index.js for improved testability and/or stability (details not specified).

v1.0.0

Initial secure release with improved safety and Excel/CSV processing features: - Removed all arbitrary code execution functionality for enhanced safety. - Replaced vulnerable xlsx library with secure exceljs dependency. - Supports reading, writing, cleaning, transforming, and merging of Excel (.xlsx, .xls via conversion) and CSV files. - Includes robust data cleaning (e.g., remove empty/duplicate rows), column transformation, filtering, and sorting. - All operations are local and block custom script execution by design.

Metadata

Slug li-etl-handle-safe

Version 1.0.2

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 3

Frequently Asked Questions

What is Li Etl Handle Safe?

安全处理Excel和CSV文件，支持读取、写入、清洗、转换和合并数据，禁止任意代码执行，保障数据安全。 It is an AI Agent Skill for Claude Code / OpenClaw, with 266 downloads so far.

How do I install Li Etl Handle Safe?

Run "/install li-etl-handle-safe" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Li Etl Handle Safe free?

Yes, Li Etl Handle Safe is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Li Etl Handle Safe support?

Li Etl Handle Safe is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Li Etl Handle Safe?

It is built and maintained by Terry S Fisher (@43622283); the current version is v1.0.2.

More Skills