Office Automation Toolkit
ReviewAudited by ClawScan on May 15, 2026.
Overview
The toolkit is mostly a coherent office-tool registry, but it also advertises broad preconfigured Feishu/Lark account access and persistent browser sessions without clearly declared scopes.
Review and limit the Feishu/Lark credentials before installing or using this skill. If you run the bootstrap script, do so in a controlled environment and verify the package list. Treat any saved browser auth.json file as a sensitive login credential.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this toolkit may be able to act through a preconfigured enterprise Feishu/Lark identity for messages, documents, calendars, mail, tasks, or approvals without clear per-action boundaries.
This advertises preconfigured delegated Feishu/Lark account access with a very broad command surface, while the submitted metadata declares no primary credential or required environment variables.
lark-cli | 飞书官方 CLI,200+ 命令,覆盖消息/文档/表格/日历/邮件/任务/审批 ... 凭证由 Hermes 预配,lark-cli 通过 `config bind --source hermes` 自动绑定。
Declare the credential requirement and identity, document allowed scopes, and require explicit user approval for write/send/delete/approval actions.
Later browser automation could reuse a saved logged-in session for the scanned account.
Saving auth.json creates reusable browser login state, which is purpose-aligned for automation but sensitive if not scoped, protected, or deleted when no longer needed.
浏览器 → Playwright(零配置,首次有头扫码→保存 auth.json 后续无头)
Store auth.json only in a task-specific protected location, limit it to intended sites/accounts, and remove it when the automation is finished.
Running the script can add or update many local dependencies from external repositories.
The helper script installs unpinned packages and downloads a browser binary from external package managers. This is expected for a bootstrapper, but it expands the local software supply chain.
pip3 install --quiet "$pkg" ... sudo apt-get install -y -qq "$pkg" ... playwright install chromium
Run the bootstrapper in a virtual environment or disposable workspace where possible, review the package list, and pin/audit dependency versions for production use.