HR助手
v1.2.5Smart HR Assistant for Chinese small and medium businesses. Handles employee roster management, organizational structure, monthly payroll calculation (indivi...
⭐ 1· 131·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (HR assistant for local Excel-based payroll/attendance) align with the shipped code: many Python modules (payroll_engine, attendance_manager, employee_manager, excel_adapter, hr_store) implement the advertised features. The declared manifest permissions (filesystem read/write) match the stated need to load and persist Excel/JSON files. One minor inconsistency: top-level registry summary lists no required binaries, while skill.yaml requires python3 and packages (openpyxl, xlrd) — this is likely an authoring mismatch but not a functional surprise.
Instruction Scope
SKILL.md explicitly instructs the agent to only process user-uploaded Excel files and to store all data locally (.hr-data). The code shown reads given file paths via ExcelAdapter/EmployeeManager and persists to .hr-data, which is coherent. Caveat: the skill accepts arbitrary file paths provided by the user; if a user (or attacker via UI) supplies a path to a sensitive file, the skill will attempt to open/read it according to its Excel handling logic. The SKILL.md states it will not process non-Excel files, but some code paths fall back to attempting to open unknown extensions with openpyxl/xlrd — so user input of paths should be treated carefully.
Install Mechanism
There is no install spec (instruction-only install), so nothing is downloaded at install time — lower installation risk. However skill.yaml declares Python dependencies (openpyxl, xlrd). That means running the skill requires installing these packages but the skill does not include an automated installer; this is normal but worth noting. No network endpoints (external URLs) were found in the provided file excerpts.
Credentials
The skill requests no environment variables or external credentials. It requires filesystem read/write which is justified by local Excel import and .hr-data persistence. No extra secrets or unrelated service tokens are requested.
Persistence & Privilege
The skill persists its own data under .hr-data in the user's workspace and does not claim to alter other skills or system-wide settings. always:false (default) and model invocation is allowed (normal). The persistence behavior (write audit logs, conversations, payroll JSON) is expected for an HR assistant but is privacy-sensitive — data remains local per the docs.
Scan Findings in Context
[system-prompt-override] expected: The skill ships role prompts and onboarding conversation templates (prompts/onboarding.md and SKILL.md content) that set system/assistant role and dialog flows. This is normal for an NLP-driven assistant, but such embedded prompts can attempt to influence agent behavior; review them to ensure they don't contain unexpected instructions (they appear to be onboarding/dialog guidance here).
Assessment
This package looks like a legitimate local Excel-based HR/payroll tool whose code and instructions match the advertised purpose. Before installing or running it: 1) Verify dependencies (python3, openpyxl, xlrd) are installed in an isolated environment (venv/container). 2) Inspect the omitted/truncated files for any network calls or telemetry (none were visible in provided excerpts, but some files were truncated). 3) Only supply Excel files you trust — the tool will open any user-provided path, so do not point it at system/private files. 4) Review prompts/onboarding.md and SKILL.md if you are concerned about prompt content influencing the agent. 5) If you will run this in production or with real employee data, run the test suite locally and store .hr-data in a controlled location with backups and access controls. If you want me to, I can scan the remaining truncated files for network or credential-usage patterns before you install.Like a lobster shell, security has layers — review code before you run it.
attendancevk97av4124jjeyc7cc5re6w9z2h84eaehbusinessvk97av4124jjeyc7cc5re6w9z2h84eaehchinesevk97av4124jjeyc7cc5re6w9z2h84eaehemployee-managementvk97av4124jjeyc7cc5re6w9z2h84eaehhrvk97av4124jjeyc7cc5re6w9z2h84eaehlatestvk97av4124jjeyc7cc5re6w9z2h84eaehpayrollvk97av4124jjeyc7cc5re6w9z2h84eaehsmevk97av4124jjeyc7cc5re6w9z2h84eaehtaxvk97av4124jjeyc7cc5re6w9z2h84eaeh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.