ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wps Skill

v1.3.0

WPS Office automation skill supporting document creation, Markdown conversion, and image-text layout.

1· 1.7k·9 current·10 all-time
byMaxStormSpace@lilei0311
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (WPS Office automation, MD conversion, image layout) match the included code: converters for MD→docx/xlsx/pptx, image handling, and a controller that launches WPS via subprocess and uses pyautogui for typing. Asking for WPS app path / optional WPS 365 credentials is consistent with the functionality.
!
Instruction Scope
SKILL.md directs running the included scripts and warns it uses pyautogui (GUI automation) and filesystem operations. The instructions tell the agent/user to open, create, and modify local files and to put app_id/app_secret into config.json. That grants broad file/modification scope and the ability to simulate keyboard input to the active window; these behaviors are potentially disruptive and warrant caution. The install/usage docs also omit several real runtime dependencies seen in the code (python-docx, openpyxl, python-pptx), which means a user following the instructions may get unexpected errors or attempt manual fixes.
Install Mechanism
There is no formal install spec (instruction-only), so nothing arbitrary is fetched during skill install — low distribution risk. However, SKILL.md's pip install line is incomplete relative to the codebase (it lists requests, pyautogui, pyperclip, Pillow but the code clearly imports docx, openpyxl, pptx/pptx.util, python-pptx, etc.). This mismatch is an operational/integrity concern (missing deps) rather than a direct supply-chain download risk.
!
Credentials
The registry metadata declares no required env vars, but the skill expects optional WPS 365 credentials (app_id/app_secret) stored in config.json. Storing secrets in a plain JSON file is less secure than env vars; SKILL.md mentions 'will support env vars soon' but currently recommends editing config.json. That is disproportionate risk for a cloud-integration feature and may lead to credentials being left in plaintext. The skill also requires accessibility/automation permissions on macOS (pyautogui), which is a privilege to consider.
Persistence & Privilege
always is false (no forced enrollment), and model invocation is allowed (default). The combination of autonomous invocation and pyautogui/file-modifying code increases blast radius: if the agent runs this skill autonomously it can interact with the user's GUI and files. This is not a platform misconfiguration, but it is a meaningful operational risk and should inform whether you permit autonomous execution.
What to consider before installing
What to check before installing/using: - Review the included Python files (especially scripts/main.py and any network-related modules) for unexpected network calls (search for requests, urllib, socket) or code that uploads files/credentials. The SKILL.md and config.json indicate app_id/app_secret are stored in plaintext — don't put real production credentials in config.json; prefer environment variables or a secret store. - The SKILL uses pyautogui (GUI automation) and subprocess to open/drive WPS. That can send keystrokes to whatever window is active — test in a VM/sandbox or disable GUI automation if you don't need it. - SKILL.md's pip install line is incomplete. Before running, install and audit the actual dependencies observed in the code (python-docx, openpyxl, python-pptx/pptx, Pillow, pyautogui, pyperclip, requests, etc.) and run tests in an isolated environment. - Verify the code provenance: SKILL.md references a GitHub URL but the registry lists source unknown. Prefer installing only skills with a verifiable upstream repository and commits you can inspect. - If you plan to allow autonomous agent invocation, limit the skill's permissions or disable autonomous use until you're comfortable with the code (or run behind policies that prevent file exfiltration). Consider running static scans and grepping the repository for suspicious patterns (hardcoded endpoints, outbound IPs, base64/exec/eval, writing credentials to network locations). - If confidence is required before deployment, request the upstream repository or ask the author for a signed release and for credential handling to be changed to environment variables/secrets rather than plaintext config.json.

Like a lobster shell, security has layers — review code before you run it.

latestvk9770fq9ywv3nteajnrwrcvnxx81asr3
1.7kdownloads
1stars
3versions
Updated 3h ago
v1.3.0
MIT-0
MaxStormSpace@lilei0311
latest
Download

WPS Office Skill

简介

WPS Office 自动化操作 Skill,支持本地文档操作和 WPS 365 云端协作功能。

⚠️ 安全警告

本地自动化风险

  • GUI 自动化:本 Skill 使用 pyautogui 进行键盘输入模拟,可能会与当前活动窗口交互
  • 文件操作:Skill 会创建、打开和修改文件,请确保在受信任的环境中使用
  • 权限要求:macOS 需要授予辅助功能权限才能使用自动化功能

云端凭证安全

  • 凭证存储:WPS 365 功能需要配置 app_idapp_secret,建议:
    • 不要在公共设备或共享环境中配置
    • 定期更换凭证
    • 使用环境变量而非明文配置文件(即将支持)
  • API 调用:所有 WPS 365 API 调用使用 HTTPS 加密传输

建议

  • 首次使用建议在沙盒环境或虚拟机中测试
  • 审查 scripts/main.py 源码确认功能符合预期
  • 如不需要 WPS 365 功能,可留空 app_idapp_secret

功能特性

本地文档操作(无需凭证)

  • 📄 创建文档 - 创建 Word、Excel、PPT 文档
  • 📂 打开文档 - 打开已有文档
  • 📋 文档列表 - 列出文档目录中的文件
  • 🔄 格式转换 - 支持 MD 转 Word/RTF/HTML
  • 📦 批量处理 - 批量转换文档格式

Markdown 转换功能(新增)

  • 📝 MD → Word - 完整 Markdown 转 Word(支持标题、列表、表格、代码块等)
  • 📝 Word → MD - Word 文档导出为 Markdown
  • 📊 MD → Excel - Markdown 转 Excel(表格变工作表,列表变数据)
  • 📊 Excel → MD - Excel 转 Markdown
  • 🎬 MD → PPT - Markdown 转 PPT(标题变幻灯片)
  • 🎬 PPT → MD - PPT 转 Markdown
  • 🖼️ MD 含图片 - Markdown 转 Word 并处理图片

图片处理与图文混排(新增)

  • 🖼️ Word 图片插入 - 向 Word 文档插入图片,支持对齐和标题
  • 🖼️ Word 图片网格 - 批量插入图片形成网格布局
  • 📐 Word 图文混排 - 支持左图右文、右图左文、上图下文等布局
  • 🖼️ PPT 图片插入 - 向 PPT 幻灯片插入图片
  • 📐 PPT 图文混排 - PPT 幻灯片图文混排(4种布局)
  • 🖼️ Excel 图片插入 - 向 Excel 单元格插入图片
  • 📐 Excel 图文混排 - Excel 单元格图文混排
  • 🎨 图片处理 - 调整图片尺寸、批量压缩

WPS 365 云端功能(需要凭证)

  • 📊 智能表单 - 表单创建、数据收集
  • 📄 智能文档 - 在线协作文档
  • 📊 多维表格 - 视图管理、字段管理、高级查询
  • 📊 流程图 - 流程图创建和导出
  • 🧠 思维导图 - 思维导图创建和导出

安装

1. 安装依赖

pip install requests pyautogui pyperclip Pillow

2. 配置 Skill

编辑 config.json

{
  "default_save_path": "~/Documents/WPS",
  "wps_path": "",
  "app_id": "",
  "app_secret": ""
}

3. 获取 WPS 开放平台凭证(可选)

仅在使用 WPS 365 功能时需要:

  1. 访问 https://open.wps.cn
  2. 注册开发者账号
  3. 创建应用获取 App ID 和 App Secret
  4. 将凭证填入 config.json

使用方法

本地文档操作

# 创建 Word 文档
python scripts/main.py create type=writer filename=报告.docx

# Markdown 转 Word(旧版,简单转换)
python scripts/main.py convert file=文档.md format=docx

# 批量转换
python scripts/main.py batch_convert dir=~/Documents format=pdf

Markdown 转换功能(新增)

# Markdown 转 Word(完整版)
python3 scripts/main.py md_to_docx file=文档.md output=文档.docx title="我的文档"

# Word 转 Markdown
python3 scripts/main.py docx_to_md file=文档.docx output=文档.md

# Markdown 转 Excel(表格变工作表)
python3 scripts/main.py md_to_xlsx file=数据.md output=数据.xlsx title="销售数据"

# Excel 转 Markdown
python3 scripts/main.py xlsx_to_md file=数据.xlsx output=数据.md

# Markdown 转 PPT(标题变幻灯片)
python3 scripts/main.py md_to_pptx file=汇报.md output=汇报.pptx title="项目汇报"

# PPT 转 Markdown
python3 scripts/main.py pptx_to_md file=汇报.pptx output=汇报.md

# Markdown 转 Word(含图片处理)
python3 scripts/main.py md_with_images_to_docx file=文档.md output=文档.docx image_width=4

图片处理与图文混排(新增)

Word 图文混排

# 向 Word 文档插入图片
python3 scripts/main.py insert_image docx=文档.docx image=图片.png width=4 align=center caption="图片标题"

# 插入图片网格
python3 scripts/main.py insert_image_grid images="1.png,2.png,3.png" cols=2 width=3 output=相册.docx

# 创建图文混排布局
python3 scripts/main.py create_text_image_layout text="说明文字" image=图片.png layout=left output=图文.docx

PPT 图文混排(新增)

# 向 PPT 幻灯片插入图片
python3 scripts/main.py insert_image_to_ppt pptx=汇报.pptx slide=1 image=图片.jpg left=1 top=1 width=4

# 创建 PPT 图文混排
python3 scripts/main.py create_ppt_text_image_layout \
  pptx=汇报.pptx \
  slide=1 \
  text="这是说明文字" \
  image=图片.jpg \
  layout=left \
  image_width=4

Excel 图文混排(新增)

# 向 Excel 单元格插入图片
python3 scripts/main.py insert_image_to_excel \
  xlsx=数据.xlsx \
  sheet=Sheet1 \
  cell=A1 \
  image=图片.jpg \
  width=100

# 创建 Excel 图文混排
python3 scripts/main.py create_excel_text_image_layout \
  xlsx=数据.xlsx \
  sheet=Sheet1 \
  cell=A1 \
  text="说明文字" \
  image=图片.jpg \
  layout=right \
  image_width=100

布局方式说明:

  • layout=left - 图片左,文字右
  • layout=right - 图片右,文字左
  • layout=top - 图片上,文字下
  • layout=bottom - 文字上,图片下

WPS 365 云端功能

# 智能表单
python scripts/main.py form_list

# 智能文档
python scripts/main.py doc_list

# 多维表格
python scripts/main.py sheet_list
python scripts/main.py sheet_views sheet_id=sheet_001

# 流程图
python scripts/main.py flow_list

# 思维导图
python scripts/main.py mind_list

API 实现说明

本地功能实现

  • 使用 subprocess 调用 WPS Office 应用程序
  • 使用 pyautogui 模拟键盘输入(创建带内容的文档)
  • 文件格式转换使用本地 WPS 引擎或 Python 库

WPS 365 云端功能实现

  • 使用 WPS 开放平台 REST API
  • OAuth 2.0 认证流程
  • 所有 API 调用使用 HTTPS 加密
  • 支持自动 token 刷新

API 端点

  • 认证: POST /auth/v1/token
  • 表单: /forms/v1/*
  • 文档: /docs/v1/*
  • 表格: /sheets/v1/*
  • 流程图: /flows/v1/*
  • 思维导图: /minds/v1/*

故障排除

本地功能问题

  • WPS 无法打开:检查 WPS 是否已安装
  • 自动化无响应:检查 macOS 辅助功能权限
  • 格式转换失败:确保文件格式受支持

WPS 365 功能问题

  • API 调用失败:检查 app_id 和 app_secret 是否正确
  • 网络超时:检查网络连接,API 服务器是否可访问
  • 权限不足:检查应用是否有足够的 API 权限

版本信息

Comments

Loading comments...