ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wps Skill

v1.0.1

Automate WPS Office tasks including document creation, opening, format conversion, batch processing, and managing WPS 365 smart forms, docs, sheets, flowchar...

3· 3.8k·23 current·27 all-time
byMaxStormSpace@lilei0311
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description advertise local WPS automation and optional WPS 365 features; scripts/main.py implements local document creation, opening, format conversion, batch processing, and mentions REST API/OAuth for cloud features. Required binaries/env/config are proportional (optional app_id/app_secret for cloud use).
Instruction Scope
SKILL.md instructs the agent to run the included Python script and to supply config.json values; it explicitly documents use of pyautogui (GUI automation) and subprocess calls. That scope is appropriate for a desktop automation skill but carries the expected safety concerns: GUI automation will interact with the active window and file operations will read/write user-specified paths. The instructions do not ask the agent to read unrelated system files or arbitrary credentials.
Install Mechanism
This is instruction-only with no archive downloads or remote installers. Dependencies are installed via pip (normal). No suspicious external download URLs or extract actions are present.
Credentials
No environment variables are required. The skill optionally uses config.json to hold app_id/app_secret for WPS 365; that is reasonable and marked secret in skill.json. Minor inconsistency: SKILL.md's install list includes 'requests' while README/skill.json dependency list omits it (if cloud features use HTTP, requests will be needed).
Persistence & Privilege
The skill does not request always:true and does not claim to modify other skills or global settings. It requires normal file and GUI access for its functionality and can be invoked by the agent as usual.
Assessment
This skill appears to do what it says: local WPS automation and optional WPS 365 calls. Before installing, note: 1) GUI automation (pyautogui) can type into whichever window is active — only run in a controlled environment; 2) if you plan to use cloud features, only supply app_id/app_secret in a private environment and consider using environment variables instead of a file; 3) SKILL.md suggests installing 'requests' but the package list omits it—if you need cloud features, ensure 'requests' (or an HTTP client) is available; 4) review scripts/main.py yourself (or run in a sandbox/VM) before granting accessibility permissions on macOS. If you need a higher-assurance review of the cloud API code paths (token handling, endpoints used), provide the remainder of scripts/main.py (cloud-related sections) for inspection.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a69nrzpqh5qr7ajbwnj7xy5817ps3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments