小弟办公秘书团队
ReviewAudited by ClawScan on May 10, 2026.
Overview
This office-assistant skill is mostly coherent, but review is recommended because its interactive mind-map HTML can run active browser code from unescaped user content and an external CDN.
Install only if you are comfortable reviewing generated files and using it with non-secret or explicitly selected office content. Be especially cautious with the Markmap/HTML mind-map output: do not open HTML generated from untrusted emails or documents unless the skill is fixed to sanitize content. If you connect real email or calendar accounts later, grant only narrow, revocable permissions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If meeting notes, emails, or pasted text contain malicious HTML/script content, the generated mind-map file could run code when opened in a browser.
The generated Markmap HTML loads remote JavaScript and inserts user-derived title/content into HTML without escaping, so opening a mind map made from untrusted text could execute injected browser code.
<script src="https://cdn.jsdelivr.net/npm/markmap-autoloader"></script> ... <h1>🧠 {structure['title']}</h1> ... <script type="text/template">\n{markdown_content}Sanitize or HTML-escape all inserted content, avoid breaking out of template script blocks, pin or self-host the Markmap dependency, and warn users before opening generated HTML from untrusted input.
Document conversion may read selected files and write or overwrite output files.
The document workflow allows file read/write and command execution, which is expected for Markdown-to-docx/PDF formatting but can affect local files if paths or commands are not user-reviewed.
"document-manager": { ... "tools": { "allowlist": [ "read", "write", "exec", "pdf" ] } }Use explicit input/output paths, review generated files before sharing, and avoid running formatting commands on untrusted documents without inspection.
If later connected to mailbox or calendar accounts, the skill could handle private account data.
The workflows describe pulling unread email and scanning calendars/todos, while the supplied metadata declares no primary credential or required account configuration; no credential capture is shown, so this is a boundary note rather than evidence of abuse.
### 邮件处理流程\n1. 拉取未读邮件 ... ### 日程管理流程\n1. 扫描日历和待办事项
Prefer pasted/explicitly selected email or calendar content unless the skill clearly asks for narrow, revocable account permissions.
Pasted meeting records and extracted action items may remain on disk after the task finishes.
Generated meeting minutes are persisted under the skill's data directory, which is aligned with the feature but may retain sensitive meeting content.
OUTPUT_DIR = SKILL_DIR / "data" / "meetings" ... filepath.write_text(minutes, encoding='utf-8')
Do not include secrets unless necessary, review generated files, and delete stored meeting or mind-map outputs when no longer needed.
Sensitive office content could be passed between the coordinator and specialist agents during a workflow.
The architecture explicitly enables a message bus and sessions_send-style inter-agent communication, so task content and results may be shared among worker agents.
"message_bus": { "enabled": true, "topics": [ "tasks", "results", "alerts" ] }, "inter_agent": { "protocol": "sessions_send", "timeout": 60 }Use the skill only with agents/models you trust, and avoid including confidential data unless inter-agent sharing is acceptable.