← 返回 Skills 市场

Li Etl Handle Safe

Name: Li Etl Handle Safe
Author: 43622283

作者 Terry S Fisher · GitHub ↗ · v1.0.2 · MIT-0

cross-platform ⚠ suspicious

266

总下载

当前安装

版本数

在 OpenClaw 中安装

/install li-etl-handle-safe

功能描述

安全处理Excel和CSV文件，支持读取、写入、清洗、转换和合并数据，禁止任意代码执行，保障数据安全。

使用说明 (SKILL.md)

li-etl-handle-safe - 安全版 Excel/CSV ETL 处理技能

功能描述

安全的 Excel/CSV 文件处理技能，支持读取、写入、清洗、转换和合并表格数据。本版本已移除任意代码执行功能，使用安全的 exceljs 库替代有漏洞的 xlsx 库。

版本

v1.0.2 - 修复 CSV 解析和 Excel 写入问题，完善功能测试

支持格式

.xlsx - Excel 2007+
.xls - Excel 97-2003（通过转换）
.csv - CSV 文本文件

功能列表

读取表格

readExcel(filePath, options) - 读取 Excel 文件
readCSV(filePath, options) - 读取 CSV 文件

写入表格

writeExcel(filePath, data, options) - 写入 Excel 文件
writeCSV(filePath, data, options) - 写入 CSV 文件

数据清洗

cleanData(data, rules) - 根据规则清洗数据
removeEmptyRows(data) - 删除空行
removeDuplicates(data, columns) - 删除重复行

数据转换

transformColumns(data, transforms) - 转换列数据（支持类型转换、格式化等预设操作）
filterRows(data, conditions) - 按条件过滤行
sortData(data, sortColumns) - 排序数据

数据合并

mergeFiles(filePaths, options) - 合并多个文件
appendRows(targetData, sourceData) - 追加行数据

安全特性

✅ 无任意代码执行 - 移除了 executeScript 功能 ✅ 安全依赖 - 使用 exceljs 替代有漏洞的 xlsx 库 ✅ 官方源 - 所有依赖来自官方 HTTPS npm registry ✅ 禁止自主调用 - disable-model-invocation: true

使用示例

// 读取 Excel
const data = await readExcel('/path/to/file.xlsx', { sheet: 0 });

// 清洗数据
const cleaned = await cleanData(data, { trim: true, removeEmpty: true });

// 转换列类型
const transformed = await transformColumns(cleaned, {
  columns: { price: 'number', date: 'datetime' }
});

// 写入 CSV
await writeCSV('/path/to/output.csv', transformed);

注意事项

所有文件操作均在本地进行
不支持执行自定义 JavaScript 代码（安全考虑）
大文件建议分批处理

安全使用建议

What to check before installing or running this skill: - Resolve the disable-model-invocation mismatch: SKILL.md/skill.yaml claim the skill should not be autonomously invoked, but the platform metadata shows disable-model-invocation is not set. If you need the skill prevented from autonomous runs, enforce it in the platform before enabling. - Verify package sources before installing: the included package-lock.json lists package tarballs from a non-official HTTP mirror (mirrors.tencentyun.com). Prefer installing from the official npm registry (HTTPS) and/or regenerate the lockfile on a trusted machine to ensure package integrity. - Review the package.json and lockfile locally (or run npm audit) if you plan to install dependencies — the code itself has no network calls, but transitive dependencies may have known vulnerabilities. - The code performs local file I/O and will create directories/files where given — run it on test data first and avoid giving it sensitive system paths. - Note the implementation bug in cleanData (it builds cleanedRow but doesn't use it) — this is a functionality issue, not a security problem, but you may want fixes before production use. If you cannot verify the lockfile and the platform invocation setting, treat the skill as untrusted until those inconsistencies are resolved.

功能分析

Type: OpenClaw Skill Name: li-etl-handle-safe Version: 1.0.2 The skill `li-etl-handle-safe` provides ETL operations for Excel and CSV files but lacks path sanitization in `index.js`, creating a Path Traversal vulnerability in functions like `readExcel`, `readCSV`, and `writeCSV`. While the skill claims to be a 'safe' version and lacks explicit malicious intent, the broad file system access is a high-risk capability that fits the criteria for a suspicious classification. Additionally, `package-lock.json` indicates the use of an unencrypted third-party mirror (http://mirrors.tencentyun.com).

能力评估

✓ Purpose & Capability

Name/description (safe Excel/CSV ETL) aligns with the provided code: read/write CSV & XLSX, cleaning, transforms, merging. The code uses exceljs/csv libs and only performs local file I/O and in-memory transformations — consistent with purpose.

ℹ Instruction Scope

SKILL.md and index.js instruct only local file reads/writes and transformations, and the code contains no eval/child_process/network calls. However SKILL.md and skill.yaml claim disable-model-invocation: true (skill should not be autonomously invoked) while the registry flags provided at the top indicate disable-model-invocation is false on the platform — a configuration mismatch that affects runtime behavior and security assumptions.

⚠ Install Mechanism

There is no install spec (instruction-only) which is low risk, but the included package-lock.json contains many 'resolved' URLs pointing to a third-party/npm mirror (mirrors.tencentyun.com) over HTTP. This contradicts the skill's claim that dependencies come from the official HTTPS npm registry and could be a supply-chain / integrity concern if packages are installed using that lockfile.

✓ Credentials

The skill requests no environment variables, no credentials, and accesses only local file system paths provided to its functions. This is proportionate to an ETL utility.

⚠ Persistence & Privilege

The skill's manifest (skill.yaml and SKILL.md) claim disable-model-invocation: true, but the registry/platform metadata shows disable-model-invocation: false (default). Because autonomous invocation is allowed by the platform as provided, the skill could be invoked automatically unless platform configuration prevents it — this mismatch should be resolved. always: false (good).

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install li-etl-handle-safe
安装完成后，直接呼叫该 Skill 的名称或使用 /li-etl-handle-safe 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.2

li-etl-handle-safe v1.0.2 - Fixed issues with CSV parsing and Excel file writing. - Improved and expanded functional tests. - Updated documentation to reflect bug fixes and test improvements.

v1.0.1

- Added initial test files: test.js, test-data.csv, and test-output.csv for automated and sample data testing. - Included package-lock.json for dependency tracking and reproducibility. - Made updates to index.js for improved testability and/or stability (details not specified).

v1.0.0

Initial secure release with improved safety and Excel/CSV processing features: - Removed all arbitrary code execution functionality for enhanced safety. - Replaced vulnerable xlsx library with secure exceljs dependency. - Supports reading, writing, cleaning, transforming, and merging of Excel (.xlsx, .xls via conversion) and CSV files. - Includes robust data cleaning (e.g., remove empty/duplicate rows), column transformation, filtering, and sorting. - All operations are local and block custom script execution by design.

元数据

Slug li-etl-handle-safe

版本 1.0.2

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 3

常见问题