office-automation-pro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
No artifact-backed malicious behavior was found, but the skill includes broad office automation, optional email credentials, and bulk sending/report distribution that users should review carefully.
This appears to be a benign instruction-only office automation skill. Before using it, confirm every batch send or report distribution, use limited email credentials, back up important files, and do not rely solely on the stated privacy guarantees for sensitive HR, finance, or customer data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken recipient list, template, or report could be sent to many people or shared externally.
Bulk email, scheduled sending, and automatic distribution are disclosed and aligned with office automation, but they can affect external recipients if run without review.
- 📧 **邮件管理**: 批量发送、模板管理、自动分类、定时发送 ... - 📊 **报表生成**: 数据采集、定期生成、可视化图表、自动分发
Preview generated documents, recipient lists, and email/report content, and require explicit confirmation before sending or distributing anything.
If configured with a real mailbox password, the skill could send messages through that account when used for email automation.
The skill documents optional SMTP credentials for email sending. This is purpose-aligned, but it gives the automation access to an email account.
"email": { "smtp_server": "smtp.example.com", "smtp_port": 465, "username": "your@email.com", "password": "your-password" }Use an app-specific password or limited-purpose mailbox where possible, and avoid providing broad personal or administrator email credentials.
Users might assume sensitive documents are never shared externally even when using email, cloud, or collaboration workflows.
The skill makes broad privacy and safety claims while also advertising email, cloud storage, and collaboration integrations; the artifacts do not detail how these guarantees are enforced.
## 安全保障 - 数据本地处理 - 不上传云端 - 敏感信息脱敏 - 操作日志记录
Treat the privacy claims as guidance rather than a guarantee; verify destinations, avoid unnecessary cloud/email sharing, and redact sensitive data before automation.