Skywork Excel (skywork) - Use for ANY task involving Excel, spreadsheets, tables, data analysis, or file conversion. Has BUILT-IN web search for real-time da...
Security Analysis
high confidenceThis skill is internally consistent with its stated purpose: it needs a SKYWORK_API_KEY and python3 to upload user files to the Skywork backend and stream progress logs; nothing in the code or instructions appears incoherent or unrelated to Excel/spreadsheet processing.
Name/description, required binary (python3), primary env (SKYWORK_API_KEY), service endpoints (api-tools.skywork.ai) and included client code all align with an external Excel-processing backend. Requested artifacts (file uploads, SSE health/progress) are expected for this purpose.
SKILL.md strictly instructs the agent to forward the user's query verbatim and to NOT locally read or reinterpret user files, instead uploading them to the backend. That is coherent with the design (backend does the parsing), but it reduces any chance for local sanitization or redaction and requires forwarding potentially sensitive content unchanged.
No install spec (instruction-only + small python scripts) — nothing is downloaded from arbitrary URLs or written to system locations beyond temporary logs and user workspace; low install risk.
Only SKYWORK_API_KEY is required, which is proportional to contacting the external Skywork API. However, the skill uploads user files and forwards raw queries to a third-party service, so the API key and any files you provide effectively grant that service access to the data — a privacy/credential-impact consideration (expected for this functionality).
always is false and the skill does not request or modify other skills' configs. It writes logs to /tmp and may write outputs to user workspace, which is expected and scoped to the skill.
Guidance
This skill appears to do what it claims, but be aware of data-flow and privacy implications before installing: - The client uploads local files and forwards your query verbatim to an external Skywork backend (api-tools.skywork.ai). Do not send sensitive or confidential files/PII unless you trust the Skywork service and have appropriate agreements in place. - The skill requires storing an API key (SKYWORK_API_KEY). Store and manage that key securely and ensure you can revoke it if needed. - The SKILL.md explicitly forbids local inspection or sanitization of files (the backend performs file reading). If you need local redaction, do it before invoking the skill. - The skill runs a background process, writes progress logs to /tmp, and downloads outputs to your workspace; ensure file locations and log retention meet your policies. - No obfuscated code or unexpected network endpoints were found in the shipped scripts; still verify the Skywork privacy/TOS and consider testing with non-sensitive data first.
Latest Release
v1.0.8
- Simplified and shortened the skill description and trigger keywords for easier reading. - Clarified prerequisite instructions and API key setup steps. - Streamlined language about capabilities and trigger logic. - No changes to core workflow, polling, or error handling. - Documentation now more concise, focused on usability and key commands.
More by @gxcun17
Published by @gxcun17 on ClawHub
