Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Office Reader
v0.1.0读取本地 Word、Excel、PowerPoint、PDF 及多种文本格式文件,支持内容解析和摘要输出。
⭐ 0· 67·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description and SKILL.md claim a local Office/PDF reader (expected to need python-docx, python-pptx, pandas, openpyxl, pypdf). However the package only includes package.json/README/SKILL.md and no actual runtime script or Python code. package.json's main points to office-reader.ps1 (not present). The declared capabilities broadly match the task, but the absent script and mixed packaging signals are incoherent.
Instruction Scope
SKILL.md instructs invoking a PowerShell script (\.\skills\office-reader\office-reader.ps1) and gives examples of reading arbitrary local paths (C:\...). That local-file access is expected for this purpose, but the instructions assume a script will be run automatically — the script is not present, so it's unclear what code would run. The docs also reference calling another 'summarize' skill for PDFs. There is no instruction-level detail about network behavior; the SKILL.md claims 'not uploaded externally' but without code that cannot be verified.
Install Mechanism
No install spec is provided (instruction-only), but README and SKILL.md list Python dependencies and give a pip install line. There is no packaged installer, no explicit install steps for the agent, and no script files shipped. This mismatch (declared Python libs vs. no runtime files) is suspicious because it leaves unclear how dependencies would be installed or how the skill executes.
Credentials
The skill requests no environment variables or credentials, which is appropriate. However, it requires reading arbitrary local file paths when invoked — that is inherent to its purpose but is sensitive. The SKILL.md states files are not uploaded, but absence of code prevents verifying that claim.
Persistence & Privilege
Flags show always=false and normal model invocation is allowed. There is no evidence the skill requests elevated or persistent privileges or modifies other skills' configs.
What to consider before installing
Do not install or enable this skill yet. The runtime script (office-reader.ps1) and/or Python code are missing from the package, so you cannot verify what will execute. Ask the author to provide the actual script(s) and a clear install procedure (how Python deps are installed, whether any network calls are made). Before using, review the script for any network/upload calls or code that reads files outside intended paths. If you need a file-reader, prefer a package that includes its runtime files or from a trusted source and explicitly documents installation and privacy (no external uploads).Like a lobster shell, security has layers — review code before you run it.
latestvk97aa79g5km29hyksq970yggwd83qcva
License
MIT-0
Free to use, modify, and redistribute. No attribution required.