Is tiangong-wps-word-automation safe?

https://clawhub.ai/Fadeloo/tiangong-wps-word-automation

72
CAUTION

This skill provides a Python script for Word/WPS document automation via COM on Windows. The code is straightforward with no obfuscated or malicious logic, no prompt injection, and clean clone behavior. However, the bundled executable script with COM automation capabilities and complete lack of path validation on all file arguments presents a meaningful risk surface — an agent could be directed to read, modify, or export any document on the filesystem without restriction.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (7)

MEDIUM Bundled executable Python script with COM automation -30

The skill includes wps_word_automation.py which uses win32com.client.Dispatch to control Word/WPS via COM. COM automation is a powerful IPC mechanism that can interact with any COM-registered application. The agent is instructed to execute this script directly via shell commands.

MEDIUM Skill instructs pip install of pywin32 -25

The SKILL.md requirements section instructs the agent to run 'python -m pip install pywin32' which installs a package from PyPI. While pywin32 is a legitimate, well-known package, instructing an agent to install packages from a public registry introduces supply chain risk.

MEDIUM No path validation on file arguments -25

The Python script accepts arbitrary file paths for --input, --output, --save, --outdir, and --image parameters with zero validation. There is no sandboxing, no allowlisting of directories, and no checks for path traversal. An agent using this skill could be directed to read any .docx file on the system or write output to any writable location.

LOW Export command can convert documents to plaintext -10

The export --format txt command extracts full document text to a file. Combined with the lack of path restrictions, this could be used to extract sensitive document content to locations accessible for exfiltration by other means.

LOW Merge command could combine sensitive documents -15

The merge command can combine multiple documents into one, potentially aggregating sensitive content from separate sources into a single file that could then be shared or exfiltrated.

INFO Skill description is straightforward and well-scoped -10

The SKILL.md contains only usage documentation for Word/WPS automation commands. No hidden instructions, persona overrides, or manipulation attempts were found. The skill correctly limits its scope to single-document operations.

LOW COM automation opens files with write access by default -30

All document open operations use ReadOnly=False, meaning the script always requests write access to documents even for read-only operations like the 'read' command. This is unnecessarily permissive and could lead to accidental document corruption.