General Software Automation
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed local automation skill with no evident malware or exfiltration, but it can control the GUI, change many files, and touch system settings if used carelessly.
Install only if you need local automation and are comfortable with a tool that can control your mouse/keyboard and rename files. Preview file operations first, run GUI scripts only from trusted sources, avoid typing secrets through the helper, and approve any administrator-level system changes explicitly.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or untrusted automation script could click buttons, type into apps, or trigger shortcuts in the wrong window.
The JSON runner can execute sequences of GUI clicks, typed text, and hotkeys. This is purpose-aligned for GUI automation, but it can affect the active application and should only run trusted, reviewed action scripts.
elif action == 'click_pos':
click_pos(**params)
elif action == 'type_text':
type_text(**params)
elif action == 'hotkey':
hotkey(**params)Run GUI automation only when the intended window is active and visible, review JSON step files before use, and rely on the PyAutoGUI fail-safe if behavior goes wrong.
If run with the wrong directory, pattern, or recursive option, many files could be renamed at once.
The batch rename tool can recursively modify many filenames, but it defaults to preview unless --execute is supplied.
r.add_argument('--execute', '-e', action='store_true', help='执行(否则仅预览)')
r.add_argument('--recursive', '-R', action='store_true')Use preview mode first, test on a copy or small directory, and only use --execute after confirming the planned changes.
Admin-level automation could install or remove software, change registry or environment settings, or restart services.
The documentation advertises administrator-level or system-level operations. These are coherent with a general automation skill but are high-impact and should be explicitly user-approved.
- 静默安装 / 卸载(MSI / EXE) - 配置文件修改(INI / JSON / YAML / 注册表) - 环境变量管理 - Windows 服务管理(启动/停止/重启) ... - 静默安装需要管理员权限
Grant administrator privileges only for specific tasks you requested, and ask for a clear plan and rollback steps before system changes.
Some advertised capabilities may not work as documented or may require unreviewed code if added later.
SKILL.md references helper scripts that are not present in the provided file manifest, which contains only scripts/gui_auto.py, scripts/batch_rename.py, and SKILL.md.
- `scripts/uiauto.py` - Windows UIAutomation 高级操作 - `scripts/file_convert.py` - 格式批量转换 - `scripts/soft_install.py` - 软件静默安装 - `scripts/log_collector.py` - 日志收集分析
Before relying on the missing capabilities, verify the exact scripts to be used and review their source or provenance.
Sensitive text entered through the automation may be partially exposed in command output.
The text-typing function echoes the first 20 characters of typed text to stdout. If used for passwords, tokens, or private form data, that content could appear in the agent transcript or logs.
print(f"[OK] 已输入文本: {text[:20]}...")Avoid using this helper to type secrets, or modify it to avoid printing user-supplied text.