Read, write, and generate Excel files with correct types, dates, formulas, and cross-platform compatibility.
Security Analysis
high confidenceThe skill's requirements, instructions, and behavior are consistent with its stated purpose (reading/writing Excel files); it is instruction-only, requests no credentials, and only stores small preference memory in the user's home directory.
Name and description match the runtime instructions: everything in SKILL.md is about reading, writing, and generating Excel files. The skill requests no binaries, environment variables, or external credentials — which is appropriate for a local Excel helper.
Instructions stay focused on Excel tasks (dates, formulas, streaming large files, cross-platform quirks). They direct the agent to read setup.md, ask user preferences, and store preferences in ~/excel-xlsx/memory.md. The skill also claims that processing is local and no external services are called — this is consistent with the content but cannot be verified at runtime because it's instruction-only.
No install spec or third-party downloads; the skill is instruction-only with no code files, so nothing is written to disk beyond the small memory file the skill asks to create (with user consent). This is low-risk from an install perspective.
The skill requests no environment variables, credentials, or config paths beyond a user-writable memory file in the home directory. That is proportional to the stated purpose.
The skill persists user preferences to ~/excel-xlsx/memory.md and can save an 'integration preference' that lets it activate automatically when spreadsheets are encountered. always: false and no system-wide changes mitigate risk, but users should explicitly consent to activation and be aware the memory file preserves those preferences.
Guidance
This skill appears coherent and low-risk, but review these points before installing: - Consent and memory: The skill will store preferences and integration settings in ~/excel-xlsx/memory.md. Only allow this if you're comfortable with a small local file recording activation preferences and Excel-related settings. Inspect or delete that file if you uninstall. - Activation behavior: If you tell the skill to 'activate automatically', it may run when you mention spreadsheets. If you prefer tighter control, decline automatic activation and invoke the skill manually when needed. - Local processing claim: SKILL.md states all file processing is local and no network calls are made — this matches the manifest (no install, no network endpoints). If the skill later asks you to upload files to an external service or to provide credentials, treat that as a red flag. - Macros and file types: The documentation correctly warns that XLSM files can contain macros. Never enable macros or run unknown macro-enabled files unless you trust the source. - Trust and provenance: The skill is instruction-only (no code shipped) and the source is listed as unknown/third-party. If you require stronger provenance, check the homepage and publisher reputation before installing. If you want extra caution: ask the skill to show you the exact contents of the memory file it would write before it saves anything, and decline automatic activation until you're confident.
Latest Release
v1.0.1
Added Core Rules and modern skill structure
More by @ivangdavila
Published by @ivangdavila on ClawHub
