← Back to Skills Marketplace

Wps Skill

Name: Wps Skill
Author: lilei0311

by MaxStormSpace · GitHub ↗ · v1.3.0

cross-platform ⚠ suspicious

1837

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install wps-skill

Description

WPS Office automation skill supporting document creation, Markdown conversion, and image-text layout.

Usage Guidance

What to check before installing/using: - Review the included Python files (especially scripts/main.py and any network-related modules) for unexpected network calls (search for requests, urllib, socket) or code that uploads files/credentials. The SKILL.md and config.json indicate app_id/app_secret are stored in plaintext — don't put real production credentials in config.json; prefer environment variables or a secret store. - The SKILL uses pyautogui (GUI automation) and subprocess to open/drive WPS. That can send keystrokes to whatever window is active — test in a VM/sandbox or disable GUI automation if you don't need it. - SKILL.md's pip install line is incomplete. Before running, install and audit the actual dependencies observed in the code (python-docx, openpyxl, python-pptx/pptx, Pillow, pyautogui, pyperclip, requests, etc.) and run tests in an isolated environment. - Verify the code provenance: SKILL.md references a GitHub URL but the registry lists source unknown. Prefer installing only skills with a verifiable upstream repository and commits you can inspect. - If you plan to allow autonomous agent invocation, limit the skill's permissions or disable autonomous use until you're comfortable with the code (or run behind policies that prevent file exfiltration). Consider running static scans and grepping the repository for suspicious patterns (hardcoded endpoints, outbound IPs, base64/exec/eval, writing credentials to network locations). - If confidence is required before deployment, request the upstream repository or ask the author for a signed release and for credential handling to be changed to environment variables/secrets rather than plaintext config.json.

Capability Analysis

Type: OpenClaw Skill Name: wps-skill Version: 1.3.0 This skill is classified as suspicious due to multiple critical vulnerabilities that could lead to Remote Code Execution (RCE) and arbitrary file system access via prompt injection. Specifically, the `scripts/main.py` script directly passes unsanitized user input to `pyautogui.typewrite` (allowing arbitrary keystroke injection into any active application) and `subprocess.Popen` (creating shell injection vulnerabilities). Additionally, user-controlled file paths are used in `os.path.join` without proper sanitization, leading to path traversal risks. The `SKILL.md` document acknowledges some of these risks but the code does not mitigate them, and sensitive API credentials (`app_id`, `app_secret`) are stored in plain text in `config.json`.

Capability Assessment

✓ Purpose & Capability

The name/description (WPS Office automation, MD conversion, image layout) match the included code: converters for MD→docx/xlsx/pptx, image handling, and a controller that launches WPS via subprocess and uses pyautogui for typing. Asking for WPS app path / optional WPS 365 credentials is consistent with the functionality.

⚠ Instruction Scope

SKILL.md directs running the included scripts and warns it uses pyautogui (GUI automation) and filesystem operations. The instructions tell the agent/user to open, create, and modify local files and to put app_id/app_secret into config.json. That grants broad file/modification scope and the ability to simulate keyboard input to the active window; these behaviors are potentially disruptive and warrant caution. The install/usage docs also omit several real runtime dependencies seen in the code (python-docx, openpyxl, python-pptx), which means a user following the instructions may get unexpected errors or attempt manual fixes.

ℹ Install Mechanism

There is no formal install spec (instruction-only), so nothing arbitrary is fetched during skill install — low distribution risk. However, SKILL.md's pip install line is incomplete relative to the codebase (it lists requests, pyautogui, pyperclip, Pillow but the code clearly imports docx, openpyxl, pptx/pptx.util, python-pptx, etc.). This mismatch is an operational/integrity concern (missing deps) rather than a direct supply-chain download risk.

⚠ Credentials

The registry metadata declares no required env vars, but the skill expects optional WPS 365 credentials (app_id/app_secret) stored in config.json. Storing secrets in a plain JSON file is less secure than env vars; SKILL.md mentions 'will support env vars soon' but currently recommends editing config.json. That is disproportionate risk for a cloud-integration feature and may lead to credentials being left in plaintext. The skill also requires accessibility/automation permissions on macOS (pyautogui), which is a privilege to consider.

ℹ Persistence & Privilege

always is false (no forced enrollment), and model invocation is allowed (default). The combination of autonomous invocation and pyautogui/file-modifying code increases blast radius: if the agent runs this skill autonomously it can interact with the user's GUI and files. This is not a platform misconfiguration, but it is a meaningful operational risk and should inform whether you permit autonomous execution.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install wps-skill
After installation, invoke the skill by name or use /wps-skill
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.3.0

wps-skill 1.3.0 - 增加对 PPT 和 Excel 的图片插入及图文混排功能。 - 用户手册丰富，新增 PPT 和 Excel 图文混排命令及用法示例。 - SKILL.md 与实际脚本能力保持同步，完善各类图片与布局支持的描述。 - 主要脚本（如 excel_converter.py、ppt_converter.py、main.py）更新，支持新图片和图文混排特性。 - 配置等文档同步更新，确保用户易于启用新版功能。

v1.2.0

wps-skill 1.2.0 - Added support for Markdown↔Excel (md_to_xlsx, xlsx_to_md) and Markdown↔PPT (md_to_pptx, pptx_to_md) conversion features. - Introduced new script files: excel_converter.py and ppt_converter.py for extended format support. - Updated documentation and example commands to reflect new Excel and PPT conversion capabilities. - Added test cases and changelogs for Excel and PPT conversions.

v1.1.0

**WPS Office Skill 1.1.0 introduces powerful Markdown/Word conversion and advanced image/layout automation.** - Added robust Markdown ↔ Word conversion (supports images, code blocks, tables, lists, etc.) - Introduced image insertion, batch image grid, and mixed text-image layout features (e.g., left/right/top/bottom layouts) - Enhanced local document automation with new bulk conversion and formatting options - Expanded documentation with detailed CLI usage examples and security/privacy guidance - Improved WPS 365 cloud integration instructions and troubleshooting guidance

Metadata

Slug wps-skill

Version 1.3.0

License —

All-time Installs 11

Active Installs 10

Total Versions 3

Frequently Asked Questions

What is Wps Skill?

WPS Office automation skill supporting document creation, Markdown conversion, and image-text layout. It is an AI Agent Skill for Claude Code / OpenClaw, with 1837 downloads so far.

How do I install Wps Skill?

Run "/install wps-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Wps Skill free?

Yes, Wps Skill is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Wps Skill support?

Wps Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Wps Skill?

It is built and maintained by MaxStormSpace (@lilei0311); the current version is v1.3.0.

More Skills