Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
File Super Assistant - 文件超级助手
v1.0.0文件创建与 AI 降味助手。支持 docx/xlsx/pptx/pdf 文件创建和编辑,提供 AI 内容改写为人类风格功能。
⭐ 0· 40·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (file creation + AI 'humanize') aligns with the included scripts and code: create_doc.py, create_xlsx/create_pptx/create_pdf implementations and remove_ai_flavor.py implement the advertised features. However, several scripts (file_assistant.py, create_openclaw_guide.py) use a hard-coded Windows OneDrive output directory (D:/OneDrive/Desktop/公众号文章) and files.json contains a local path — this is disproportionate to a generic 'file assistant' and reduces portability.
Instruction Scope
SKILL.md instructs running local scripts (create_doc.py, remove_ai_flavor.py) which is expected. The scripts perform only local file read/write and string transformations (no network calls). Concern: default behavior writes into an absolute OneDrive Desktop path and will create files there without prompting, which may be surprising and could cause data exposure via user's cloud sync. The skill does not read unrelated system files, environment variables, or external endpoints.
Install Mechanism
No install spec — instruction-only with bundled scripts. No external downloads or package installs embedded in the skill. The scripts import common Python libraries but only when executed; missing deps are handled by informative ImportError messages. This is low-risk from an install/execution mechanism perspective.
Credentials
The skill requests no environment variables, no credentials, and no config paths in metadata. The code also does not attempt to access external secrets or network endpoints. The only notable environment interaction is writing files to a hard-coded filesystem location (OneDrive path) and trying to register Windows fonts for PDF creation — these are plausible for document generation but should be configurable.
Persistence & Privilege
The skill does not request always: true and does not alter other skills or system-wide agent settings. It does, however, persist records to files.json and will create/write files under the hard-coded OUTPUT_DIR. That persistent file I/O is normal for a document tool but the fixed OneDrive path increases the impact of writes (cloud-synced folder).
What to consider before installing
This skill appears to implement what it says (file creation and AI-to-human text rewrites) and does not contact external servers or request credentials. However, before installing or running: 1) Be aware the scripts default to writing files to D:/OneDrive/Desktop/公众号文章 — this may create/overwrite files in your OneDrive Desktop folder; change OUTPUT_DIR in file_assistant.py and template/output paths in the create_* scripts to a safe, expected directory (or pass explicit output paths when running the scripts). 2) files.json contains a local path from the author — treat that as leftover personal data and delete or replace it if unwanted. 3) The PDF script tries Windows font paths; on non-Windows systems behavior will differ (it may create a directory named "D:"). 4) Run the scripts in a sandbox or with a non-synced workspace first to confirm behavior. If you need higher assurance, ask the publisher to remove hard-coded absolute paths or to make output directories configurable via arguments or environment variables.Like a lobster shell, security has layers — review code before you run it.
latestvk97ehebmt5zhp7sewb3a7j3qdh83webh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.