Office Automation
Security checks across malware telemetry and agentic risk
Overview
The shown artifacts look like local office-file automation, but the skill can batch-change files and advertises email sending, so users should verify folders, backups, and mail settings before use.
Before installing or using, run it only on intended folders, keep backups, and verify outputs after a small test. If using email sending, review the config and recipient file and require explicit approval before bulk sends. Optional Python packages should be installed from trusted sources, preferably in a virtual environment.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken path, rename pattern, or replacement text could alter important local documents.
The script performs batch renames and in-place Word document saves on files in the selected input directory. This is aligned with office automation, but it can change many local files if the wrong folder or pattern is used.
print(f"\n✅ 将重命名 {renamed_count} 个文件") ... shutil.move(str(file), str(new_path)) ... doc.save(f)Use it first on copies or backed-up folders, and require explicit user review before running batch rename or Word replacement on important files.
If the email feature is used, the user's mail account or SMTP configuration could send messages to many recipients.
The skill advertises an email-sending action that would likely use a user-provided mail configuration and recipient list. This is disclosed and purpose-aligned, but it may send messages on the user's behalf.
clawhub run ke-office-automation --action email-send --config ./email-config.json --data ./recipients.xlsx
Inspect the email configuration and recipient file, test with a small list first, and require explicit approval before any bulk send.
Installing unpinned packages can pull newer or unexpected dependency versions.
When optional libraries are missing, the script tells the user to install PyPI packages. This is normal for the file-processing purpose, but the packages are not pinned in an install spec or lockfile.
💡 安装命令:pip install pandas openpyxl
Install dependencies in a virtual environment from trusted package indexes, and pin versions if using this skill in a business workflow.
Users could over-assume that every advertised action is purely local.
The privacy statement says all processing is local and data is not uploaded, while the same document advertises email sending. The visible file-processing code is local, but email sending inherently transmits selected message and recipient data.
- 邮件自动发送 ... A: 所有处理在本地完成,数据不会上传。
Clarify that local-only handling applies to file processing, and separately disclose what data is sent when using the email feature.