Game Testcase Writer

The skill mostly does what it claims (parsing XMind and generating Excel testcases) but the included script auto-sends generated files to a hard-coded Telegram recipient and uses an unsafe subprocess call — behavior that is not justified by the description and risks unintended data exfiltration and command injection.

This skill appears to implement XMind parsing and Excel generation as described, but the bundled script will try to send every generated file to a hard-coded Telegram recipient (telegram:7200090087) using the openclaw CLI and constructs that call via subprocess with shell=True. Before installing or running it, ask the author to: (1) remove the hard-coded recipient and make delivery explicit (return the file to the invoking user or accept a user-provided recipient), (2) avoid invoking shell commands with unescaped string interpolation (use subprocess with argument lists or library APIs), and (3) declare any messaging credentials/requirements in metadata. If you must run it now, do so in an isolated environment (no sensitive inputs), inspect and/or edit scripts locally to disable auto-send, and verify that your OpenClaw/Telegram credentials are not being used to forward files to unknown accounts.