Wps Skill

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent WPS Office automation skill, but it can be invoked by very generic document-related triggers and then type user-supplied text into whichever desktop window is active.

Install only if you are comfortable letting an agent create/open/convert files and control your desktop. Keep WPS focused during content entry, avoid broad batch directories, leave WPS 365 credentials blank unless needed, and treat generic document requests cautiously because the trigger patterns are broad.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README documents commands that create documents, open files, convert formats, and batch-process directories, but it does not clearly warn users that these actions will write new files or modify contents in the configured save path or target directory. In an agent/automation context, insufficient disclosure about filesystem side effects can lead to unintended overwrites, mass conversions, or changes across many files, especially when users invoke natural-language requests through OpenClaw.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill creates files at user-influenced paths without any user-facing disclosure, confirmation, or path restriction. In an agent setting, this can silently alter the local filesystem, overwrite expected workspace contents, or plant files that are later opened or trusted by the user.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This code silently launches a local desktop application as a side effect of a document operation. In an agent context, undisclosed app launches can surprise users, trigger document handlers, and serve as a stepping stone for unsafe UI automation or social-engineering style misuse.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Typing attacker-controlled content into the active window via pyautogui is dangerous because the active window may not be WPS at all. In an agent or desktop environment, this can send arbitrary keystrokes to terminals, chat apps, password prompts, admin consoles, or browsers, causing data exfiltration, command execution, or destructive unintended actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill opens arbitrary caller-supplied files without disclosure or policy checks. In practice, this may cause sensitive local files or attacker-planted documents to be opened in associated applications, potentially invoking risky document macros, external links, or simply exposing local data unexpectedly.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The conversion routine reads user-specified input and writes derived output files without clear user disclosure or path controls. In an agent environment, silent file reads and writes can expose sensitive local content into new formats or locations and create artifacts the user did not authorize.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code transmits app credentials to a remote API endpoint with no user-facing disclosure that secrets will leave the local environment. In a skill context, hidden credential use materially increases risk because users may believe the skill is local-only while it performs authenticated network actions.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: Authenticated HTTP requests can transmit user, document, or workflow data to a remote service, yet this occurs without visible disclosure or consent. In an automation skill, undisclosed exfiltration paths are particularly concerning because operators may assume all processing is local while sensitive metadata or content is sent over the network.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list contains many generic, high-frequency terms such as "wps", "文档", "表格", "excel", and "word", which are likely to match normal user requests unrelated to intentional use of this specific skill. Because the skill exposes an `exec` tool and automates desktop document actions, accidental invocation could cause unintended command execution paths or disruptive GUI automation in response to everyday office-related prompts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal