← 返回 Skills 市场

Wps Skill

Name: Wps Skill
Author: lilei0311

作者 MaxStormSpace · GitHub ↗ · v1.3.0

cross-platform ⚠ suspicious

1837

总下载

当前安装

版本数

在 OpenClaw 中安装

/install wps-skill

功能描述

WPS Office automation skill supporting document creation, Markdown conversion, and image-text layout.

安全使用建议

What to check before installing/using: - Review the included Python files (especially scripts/main.py and any network-related modules) for unexpected network calls (search for requests, urllib, socket) or code that uploads files/credentials. The SKILL.md and config.json indicate app_id/app_secret are stored in plaintext — don't put real production credentials in config.json; prefer environment variables or a secret store. - The SKILL uses pyautogui (GUI automation) and subprocess to open/drive WPS. That can send keystrokes to whatever window is active — test in a VM/sandbox or disable GUI automation if you don't need it. - SKILL.md's pip install line is incomplete. Before running, install and audit the actual dependencies observed in the code (python-docx, openpyxl, python-pptx/pptx, Pillow, pyautogui, pyperclip, requests, etc.) and run tests in an isolated environment. - Verify the code provenance: SKILL.md references a GitHub URL but the registry lists source unknown. Prefer installing only skills with a verifiable upstream repository and commits you can inspect. - If you plan to allow autonomous agent invocation, limit the skill's permissions or disable autonomous use until you're comfortable with the code (or run behind policies that prevent file exfiltration). Consider running static scans and grepping the repository for suspicious patterns (hardcoded endpoints, outbound IPs, base64/exec/eval, writing credentials to network locations). - If confidence is required before deployment, request the upstream repository or ask the author for a signed release and for credential handling to be changed to environment variables/secrets rather than plaintext config.json.

功能分析

Type: OpenClaw Skill Name: wps-skill Version: 1.3.0 This skill is classified as suspicious due to multiple critical vulnerabilities that could lead to Remote Code Execution (RCE) and arbitrary file system access via prompt injection. Specifically, the `scripts/main.py` script directly passes unsanitized user input to `pyautogui.typewrite` (allowing arbitrary keystroke injection into any active application) and `subprocess.Popen` (creating shell injection vulnerabilities). Additionally, user-controlled file paths are used in `os.path.join` without proper sanitization, leading to path traversal risks. The `SKILL.md` document acknowledges some of these risks but the code does not mitigate them, and sensitive API credentials (`app_id`, `app_secret`) are stored in plain text in `config.json`.

能力评估

✓ Purpose & Capability

The name/description (WPS Office automation, MD conversion, image layout) match the included code: converters for MD→docx/xlsx/pptx, image handling, and a controller that launches WPS via subprocess and uses pyautogui for typing. Asking for WPS app path / optional WPS 365 credentials is consistent with the functionality.

⚠ Instruction Scope

SKILL.md directs running the included scripts and warns it uses pyautogui (GUI automation) and filesystem operations. The instructions tell the agent/user to open, create, and modify local files and to put app_id/app_secret into config.json. That grants broad file/modification scope and the ability to simulate keyboard input to the active window; these behaviors are potentially disruptive and warrant caution. The install/usage docs also omit several real runtime dependencies seen in the code (python-docx, openpyxl, python-pptx), which means a user following the instructions may get unexpected errors or attempt manual fixes.

ℹ Install Mechanism

There is no formal install spec (instruction-only), so nothing arbitrary is fetched during skill install — low distribution risk. However, SKILL.md's pip install line is incomplete relative to the codebase (it lists requests, pyautogui, pyperclip, Pillow but the code clearly imports docx, openpyxl, pptx/pptx.util, python-pptx, etc.). This mismatch is an operational/integrity concern (missing deps) rather than a direct supply-chain download risk.

⚠ Credentials

The registry metadata declares no required env vars, but the skill expects optional WPS 365 credentials (app_id/app_secret) stored in config.json. Storing secrets in a plain JSON file is less secure than env vars; SKILL.md mentions 'will support env vars soon' but currently recommends editing config.json. That is disproportionate risk for a cloud-integration feature and may lead to credentials being left in plaintext. The skill also requires accessibility/automation permissions on macOS (pyautogui), which is a privilege to consider.

ℹ Persistence & Privilege

always is false (no forced enrollment), and model invocation is allowed (default). The combination of autonomous invocation and pyautogui/file-modifying code increases blast radius: if the agent runs this skill autonomously it can interact with the user's GUI and files. This is not a platform misconfiguration, but it is a meaningful operational risk and should inform whether you permit autonomous execution.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install wps-skill
安装完成后，直接呼叫该 Skill 的名称或使用 /wps-skill 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.3.0

wps-skill 1.3.0 - 增加对 PPT 和 Excel 的图片插入及图文混排功能。 - 用户手册丰富，新增 PPT 和 Excel 图文混排命令及用法示例。 - SKILL.md 与实际脚本能力保持同步，完善各类图片与布局支持的描述。 - 主要脚本（如 excel_converter.py、ppt_converter.py、main.py）更新，支持新图片和图文混排特性。 - 配置等文档同步更新，确保用户易于启用新版功能。

v1.2.0

wps-skill 1.2.0 - Added support for Markdown↔Excel (md_to_xlsx, xlsx_to_md) and Markdown↔PPT (md_to_pptx, pptx_to_md) conversion features. - Introduced new script files: excel_converter.py and ppt_converter.py for extended format support. - Updated documentation and example commands to reflect new Excel and PPT conversion capabilities. - Added test cases and changelogs for Excel and PPT conversions.

v1.1.0

**WPS Office Skill 1.1.0 introduces powerful Markdown/Word conversion and advanced image/layout automation.** - Added robust Markdown ↔ Word conversion (supports images, code blocks, tables, lists, etc.) - Introduced image insertion, batch image grid, and mixed text-image layout features (e.g., left/right/top/bottom layouts) - Enhanced local document automation with new bulk conversion and formatting options - Expanded documentation with detailed CLI usage examples and security/privacy guidance - Improved WPS 365 cloud integration instructions and troubleshooting guidance

元数据

Slug wps-skill

版本 1.3.0

许可证 —

累计安装 11

当前安装数 10

历史版本数 3

常见问题

Wps Skill 是什么？

WPS Office automation skill supporting document creation, Markdown conversion, and image-text layout. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1837 次。

如何安装 Wps Skill？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install wps-skill」即可一键安装，无需额外配置。

Wps Skill 是免费的吗？

是的，Wps Skill 完全免费（开源免费），可自由下载、安装和使用。

Wps Skill 支持哪些平台？

Wps Skill 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Wps Skill？

由 MaxStormSpace（@lilei0311）开发并维护，当前版本 v1.3.0。