Is lilei0311/wps-office safe?

https://github.com/openclaw/skills/tree/main/skills/lilei0311/wps-office

87
SAFE

This is a legitimate WPS Office automation skill with comprehensive functionality for document operations and cloud integration. While it uses system-level capabilities like subprocess execution and GUI automation that present inherent security considerations, these are appropriate for its office automation purpose and show no signs of malicious intent.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (5)

MEDIUM Subprocess execution capability -15

The skill uses subprocess.Popen() to launch WPS Office applications, which provides system-level execution capabilities. While used legitimately for office automation, this could be a security risk if the skill were compromised.

MEDIUM GUI automation with pyautogui -10

The skill uses pyautogui for keyboard input simulation, which can interact with any active window. This presents automation risks if misused, though it's legitimate for document content input.

LOW Broad file access permissions -10

The skill can create, read, and modify files across user-specified directories for document operations. While necessary for functionality, this provides extensive filesystem access.

LOW Cloud API data transmission -10

WPS 365 functionality sends document data to WPS cloud servers. This is the intended functionality but represents data leaving the local system.

INFO External URL reference -5

The skill documentation contains a reference to an external URL for WPS Open Platform. This is legitimate but worth noting.