Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
kdocs skill
v1.3.2金山文档(WPS 云文档 / 365.kdocs.cn / www.kdocs.cn)— 在线云文档平台,【金山文档官方 Skill】。 当用户提到金山文档、Kdocs、云文档、在线文档、协作文档、智能文档、云表格、在线表格、在线 Excel、智能表格、多维表格、在线 PDF、演示文稿、PPT、知识库、个人知识库...
⭐ 7· 204·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Kdocs/WPS cloud document operations) match the files and instructions: SKILL.md documents many kdocs APIs and workflows, and the provided scripts implement token acquisition and mcporter registration needed to call the kdocs MCP endpoints.
Instruction Scope
Runtime instructions and scripts focus on obtaining an auth token via a browser login flow, storing it in mcporter, and invoking MCP tools. They explicitly forbid echoing tokens and discourage writing tokens to environment variables. They also perform legacy-token migration by reading/removing KINGSOFT_DOCS_TOKEN from a local .env file, which is within scope but is a file modification users should be aware of.
Install Mechanism
No automatic install spec in the registry; this is instruction-first. Scripts may auto-install mcporter globally via npm only when explicit flags are supplied. Network calls go to plausible official domains (api.wps.cn, mcp-center.wps.cn). No downloader from an arbitrary short URL or personal IP is present.
Credentials
The skill declares no required env vars. The scripts intentionally read legacy tokens from KINGSOFT_DOCS_TOKEN or a local .env for migration and will remove that key from .env after migration. Writing the authorization header into mcporter config is required for MCP usage and is proportionate; users should be aware the script modifies local mcporter configuration and may delete the legacy token entry from a .env file.
Persistence & Privilege
Skill is not always-on. It writes/updates its own mcporter kdocs configuration (expected for a connector) and may remove a legacy token key from a local .env file; it does not modify other skills or system-wide settings beyond optional global npm installs when explicitly requested.
Assessment
This skill appears to do what it claims: open a browser-based WPS login, poll WPS's token-exchange API, and save the resulting Authorization header into your mcporter configuration so the agent can call Kdocs MCP tools. Before running: 1) Confirm you trust the skill source (scripts will call api.wps.cn and mcp-center.wps.cn). 2) Back up any local .env you care about — the setup/get-token scripts will remove KINGSOFT_DOCS_TOKEN from .env during migration and may delete an empty .env. 3) Do not paste your token into chat; follow the scripted flow or manual instructions. 4) Avoid passing the auto-install flags unless you trust the npm package provenance (the script can run npm install -g mcporter if you explicitly allow it). 5) If you want to audit actions, run the scripts manually in a shell to inspect their behavior (they are plain-text and not obfuscated). If you need the publisher identity verified, request a signed/official distribution source before granting production use.get-token.js:123
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk974k7grqqdj0d7q1fndrn9f1184hfv3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📝 Clawdis