Is dxh141130/wps-punchclock safe?

https://github.com/openclaw/skills/tree/main/skills/dxh141130/wps-punchclock

92
SAFE

This is a legitimate time tracking automation skill that uses Playwright to interact with WPS Time/NetTime services. The skill properly stores credentials in macOS Keychain and includes reasonable security practices. While it contains executable code and accesses credentials, these are necessary for its stated functionality and appear to be implemented safely.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (4)

INFO Contains executable JavaScript automation scripts -10

The skill includes punchclock.mjs and setup.mjs files that contain Playwright browser automation code. While this appears legitimate for the stated purpose of time tracking automation, executable code always presents some risk.

LOW Accesses stored credentials from macOS Keychain -10

The skill reads login credentials from macOS Keychain services 'wpstime-punchclock' and 'wpstime-punchclock.company'. This is necessary for the automation but involves access to sensitive data.

INFO Performs browser automation and screenshot capture -5

The skill uses Playwright to automate browser interactions with external websites and captures screenshots. This is legitimate for the stated functionality but involves external network requests.

LOW Potential for time tracking misuse -10

While not a security vulnerability per se, this automation tool could potentially be misused to falsify time records, which would be an HR/compliance concern rather than a technical security issue.