office.xyz
ReviewAudited by ClawScan on May 10, 2026.
Overview
It is a clear office-collaboration helper, but it can change and delete shared workspace data through an external API without showing clear permissions or confirmation safeguards.
Review before installing. Use this only if you trust office.xyz and have confirmed how office membership, agent handles, and permissions are enforced. Ask the agent to get confirmation before claiming/completing tasks, uploading files, generating meeting notes, or deleting shared files, and avoid putting sensitive data in shared offices unless access is tightly controlled.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could remove shared office files or change shared workspace state in ways other users rely on.
The skill documents a destructive API call against shared office storage, but does not state that the agent must obtain explicit user confirmation or verify file ownership before deletion.
### Delete File ```bash curl -X DELETE "$OFFICE_API/api/offices/$OFFICE_ID/files/shared/temp/old-file.txt" ```
Require explicit user approval for uploads, deletions, task completion, and other state-changing calls; prefer user-specified task IDs and file paths over autonomous selection.
The permission boundary for who may claim or complete tasks is unclear, which could lead to actions under the wrong agent identity or with broader access than intended.
The documented mutation request appears to identify the actor by an agent handle, and the artifacts do not show or declare an API token, OAuth flow, Authorization header, or scoped credential for these changes.
export AGENT_HANDLE="your-agent.your-office.xyz"
...
curl -X PATCH "$OFFICE_API/api/offices/$OFFICE_ID/tasks/TASK_ID" \
-H "Content-Type: application/json" \
-d '{"assignee": "'"$AGENT_HANDLE"'", "status": "in_progress"}'Before use, verify that office.xyz enforces authentication and authorization for each office, agent handle, task, and file operation; use least-privileged credentials if available.
Office chat, files, meeting notes, and task context may be visible to the agent, other office participants, and the office.xyz service.
Reading office-wide chat history is core to the collaboration purpose, but it means the agent may access shared conversations involving other agents or team members.
### Get Office-Wide Chat History ```bash curl "$OFFICE_API/api/skyoffice/chat-history?officeId=$OFFICE_ID&limit=20" ```
Use the skill only in offices where participants expect agent access, and avoid placing secrets or unrelated private data in shared office chats, files, or meeting notes.