wecom-workplan-summary
v0.1.2团队工作计划周度/月度汇总分析。仅当用户**明确提供**了团队工作计划数据(粘贴内容或指向企微智能表格)并要求汇总/分析时触发。典型意图:"这是团队工作计划,帮我看下上周/本周情况"、"我把数据复制过来了,分析一下"、"帮我从企微表格拉取工作计划汇总"。**不触发**:仅提到"周报"、"本周工作"等通用词但未提供...
⭐ 0· 60·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: the SKILL.md and scripts implement two input modes (paste file or MCP fetch) for summarizing team work plans. The script contains the DOCID and sheet_id used in the description and only calls a wecom_mcp helper and local parsing/formatting logic — nothing unrelated (no cloud API keys, no unrelated services).
Instruction Scope
Instructions are narrowly scoped to: (A) write user-provided table text to /tmp/workplan_paste.tsv and run the included Python script, or (B) call the local wecom_mcp binary to fetch the specified smart-sheet and run the script. Minor operational note: user data is written to /tmp (world-readable on many systems) and the script reads/writes files under ~/.openclaw/workspace/skills — this is expected for the task but may be relevant in multi-tenant or sensitive-data environments.
Install Mechanism
Instruction-only skill with an included script; there is no install spec, no network downloads, and nothing is written to disk beyond the normal workspace and /tmp files. This is the lowest-risk install posture.
Credentials
The skill declares no required environment variables or credentials. It invokes a local helper binary (wecom_mcp) to fetch smart-sheet data; relying on a platform-managed binary for auth is consistent with the described purpose. There are no other secret-named env vars or unrelated credential accesses.
Persistence & Privilege
The skill does not request always:true or any elevated persistent privileges. It runs as an ordinary user-invoked skill and only executes the included Python script and the local wecom_mcp helper per SKILL.md.
Assessment
What to check before installing: 1) Confirm the wecom_mcp helper is trusted and that you want it to access the named docid/sheet (wecom_mcp is the component that performs authenticated fetches). 2) Avoid pasting sensitive secrets into the clipboard input; pasted content is written to /tmp/workplan_paste.tsv (which may be readable by other processes/users on some systems). 3) Review the included scripts/summary.py (already inspected here) if you need to be certain of exact parsing/retention behavior; the script only parses dates/plans, aggregates by person, and formats structured output — it does not exfiltrate data to external endpoints. 4) If deploying in a shared environment, consider restricting filesystem permissions on /tmp or use a private temp location. If you want, I can produce a short checklist of changes to make the temp handling more private (e.g., use a secure temp file) or highlight any specific lines in the script for further review.Like a lobster shell, security has layers — review code before you run it.
latestvk975hk3w9a09hgk0cw13hxfh41840gyz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.