Office Productivity
ReviewAudited by ClawScan on May 10, 2026.
Overview
The included document scripts look ordinary, but the skill also claims it can read/send and bulk-modify email/calendar using credentials through missing, undeclared helpers, so it needs review before use.
The local document-generation scripts appear straightforward, but treat the email and calendar features as unreviewed and high-impact. Do not provide IMAP/SMTP or calendar credentials unless the missing helper code is supplied and you can require explicit confirmation for every send, reply, archive, or event creation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used for mail or calendar tasks, the agent may need access to private messages, contacts, and calendar data, and could send or create items on the user's behalf.
The skill advertises credential-backed access to mail and calendar accounts, but the supplied registry metadata declares no primary credential, environment variables, or config paths to bound how those credentials are handled.
邮件读取 / 发送(IMAP/SMTP) ... 日程读取与事件创建( ICS / Google Calendar API) ... 邮件操作需要用户提供 IMAP/SMTP 配置
Only use mail/calendar functions after confirming the exact account, credential method, recipient/event scope, and whether each send or mutation requires explicit user approval.
A mistaken or overly broad task could affect many emails or send messages externally without enough guardrails.
Bulk email archiving/replying and direct sending are high-impact actions, but the instructions do not specify confirmation gates, recipient checks, dry-run behavior, or rollback safeguards.
邮件批量处理(分类、归档、回复) ... 输出交付:文件路径或直接发送
Require preview and explicit approval before any email send, reply, archive, deletion, or bulk account change.
The agent may attempt to rely on missing or unreviewed code for sensitive mail operations, making behavior and credential handling unclear.
SKILL.md references helper scripts that are not included in the supplied manifest; this is especially concerning for the mail client because it would handle credential-backed account access.
`scripts/create_pptx.py` - python-pptx 创建 PPT ... `scripts/mail_client.py` - IMAP/SMTP 邮件收发
Include and review all referenced helper scripts, or remove unsupported capabilities from SKILL.md until their implementation and credential handling are documented.
A split operation may produce the wrong PDF pages, which could matter if the result is later shared.
The PDF split command appears to subtract one from page numbers twice, which can export unexpected pages for a requested range.
pr = range(int(parts[0]) - 1, int(parts[1])) ... writer.add_page(reader.pages[pg - 1])
Fix and test page-range handling before relying on the PDF split feature for sensitive documents.