Cms Cwork

The skill's code and docs implement a legitimate CWork API client, but the package metadata omits the required CWORK_APP_KEY credential and the scripts can read local files and perform network calls — this mismatch and capability deserves manual review before installation.

This package appears to be a genuine CWork client (search/send reports, tasks, todo). Before installing or enabling it: - Confirm and provide a CWORK_APP_KEY with the minimal scope needed; the SKILL.md and client code require it but the registry metadata does not declare it — ask the publisher to fix metadata. - Review the bundled scripts (they are present in the package) to confirm acceptable behavior, especially file upload paths (--file-paths) and any interactive confirmation logic; attachments passed to the scripts will be uploaded to the CWork server. - Run the scripts in a sandbox or test account first to observe network endpoints and payloads; default base URL is https://sg-al-cwork-web.mediportal.com.cn. - Do not supply broader credentials (AWS, GitHub, etc.) — none are required by the CWork client. If you need the skill to run on behalf of a user, ensure the app key is stored and scoped appropriately and that the platform will protect it. - Ask the skill owner to correct registry metadata to list CWORK_APP_KEY as a required credential (primaryEnv) so the platform can enforce proper secret handling. Providing that metadata will materially increase confidence.