小弟办公秘书团队
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: xiaodi-office-team Version: 1.0.1 The skill bundle implements a sophisticated multi-agent office productivity suite, but it requests several high-risk permissions in 'architecture.json', specifically 'exec' for the document-manager and 'cron' for the schedule-manager. While these capabilities are plausibly linked to the stated features (running the 'doc_formatter.py' script and managing meeting reminders), they grant the agent the power to execute arbitrary shell commands and establish persistence. The Python scripts themselves ('coordinator.py', 'doc_formatter.py', 'meeting_minutes.py') appear to contain legitimate logic for document processing and task routing without evidence of intentional malice or data exfiltration. However, the broad permission set and the use of external CDNs in 'mindmap.py' (cdn.jsdelivr.net) for rendering Markmap HTML warrant a suspicious classification due to the elevated attack surface.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If meeting notes, emails, or pasted text contain malicious HTML/script content, the generated mind-map file could run code when opened in a browser.
The generated Markmap HTML loads remote JavaScript and inserts user-derived title/content into HTML without escaping, so opening a mind map made from untrusted text could execute injected browser code.
<script src="https://cdn.jsdelivr.net/npm/markmap-autoloader"></script> ... <h1>🧠 {structure['title']}</h1> ... <script type="text/template">\n{markdown_content}Sanitize or HTML-escape all inserted content, avoid breaking out of template script blocks, pin or self-host the Markmap dependency, and warn users before opening generated HTML from untrusted input.
Document conversion may read selected files and write or overwrite output files.
The document workflow allows file read/write and command execution, which is expected for Markdown-to-docx/PDF formatting but can affect local files if paths or commands are not user-reviewed.
"document-manager": { ... "tools": { "allowlist": [ "read", "write", "exec", "pdf" ] } }Use explicit input/output paths, review generated files before sharing, and avoid running formatting commands on untrusted documents without inspection.
If later connected to mailbox or calendar accounts, the skill could handle private account data.
The workflows describe pulling unread email and scanning calendars/todos, while the supplied metadata declares no primary credential or required account configuration; no credential capture is shown, so this is a boundary note rather than evidence of abuse.
### 邮件处理流程\n1. 拉取未读邮件 ... ### 日程管理流程\n1. 扫描日历和待办事项
Prefer pasted/explicitly selected email or calendar content unless the skill clearly asks for narrow, revocable account permissions.
Pasted meeting records and extracted action items may remain on disk after the task finishes.
Generated meeting minutes are persisted under the skill's data directory, which is aligned with the feature but may retain sensitive meeting content.
OUTPUT_DIR = SKILL_DIR / "data" / "meetings" ... filepath.write_text(minutes, encoding='utf-8')
Do not include secrets unless necessary, review generated files, and delete stored meeting or mind-map outputs when no longer needed.
Sensitive office content could be passed between the coordinator and specialist agents during a workflow.
The architecture explicitly enables a message bus and sessions_send-style inter-agent communication, so task content and results may be shared among worker agents.
"message_bus": { "enabled": true, "topics": [ "tasks", "results", "alerts" ] }, "inter_agent": { "protocol": "sessions_send", "timeout": 60 }Use the skill only with agents/models you trust, and avoid including confidential data unless inter-agent sharing is acceptable.