Wps Skill

What to check before installing/using: - Review the included Python files (especially scripts/main.py and any network-related modules) for unexpected network calls (search for requests, urllib, socket) or code that uploads files/credentials. The SKILL.md and config.json indicate app_id/app_secret are stored in plaintext — don't put real production credentials in config.json; prefer environment variables or a secret store. - The SKILL uses pyautogui (GUI automation) and subprocess to open/drive WPS. That can send keystrokes to whatever window is active — test in a VM/sandbox or disable GUI automation if you don't need it. - SKILL.md's pip install line is incomplete. Before running, install and audit the actual dependencies observed in the code (python-docx, openpyxl, python-pptx/pptx, Pillow, pyautogui, pyperclip, requests, etc.) and run tests in an isolated environment. - Verify the code provenance: SKILL.md references a GitHub URL but the registry lists source unknown. Prefer installing only skills with a verifiable upstream repository and commits you can inspect. - If you plan to allow autonomous agent invocation, limit the skill's permissions or disable autonomous use until you're comfortable with the code (or run behind policies that prevent file exfiltration). Consider running static scans and grepping the repository for suspicious patterns (hardcoded endpoints, outbound IPs, base64/exec/eval, writing credentials to network locations). - If confidence is required before deployment, request the upstream repository or ask the author for a signed release and for credential handling to be changed to environment variables/secrets rather than plaintext config.json.