(司库系统)API 全生命周期管理智能 Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to real credentials and endpoints, generated or executed requests could affect financial workflows.
The skill documents and can generate examples for APIs that may initiate payroll, payment orders, or fund transfers. This is aligned with a treasury API skill, but these are high-impact financial operations.
| 601114 | 批量工资代发 | 10 | ... | 601116 | 生成单笔支付申请单或支付单 | 10 | ... | 601304 | 手工下拨 | 10 |
Use test environments by default, require explicit human approval before any real payment/payroll/fund-transfer request, and review generated requests before sending.
Misconfigured or exposed bank credentials could allow unauthorized API calls.
Real API use requires access to banking private keys/certificates. The artifact does not hardcode a private key, but it makes clear that privileged credentials are needed.
def _get_private_key(self) -> bytes:
"""获取用户私钥"""
# TODO: 从证书文件或密钥管理系统获取Store private keys in a secure key-management system, avoid placing secrets in prompts or files, and restrict credentials to the minimum required bank permissions.
Real account numbers, balances, payroll files, or payment details could be transmitted to the configured banking endpoint.
The example sends banking request data, including an account number field, to an external PSBC API endpoint. This is disclosed and purpose-aligned, but involves sensitive financial data flow.
BASE_URL="https://olt.api-test.psbc.com:9902/gateway/std/" ... "bankAccno": "951011013000006323"
Verify the endpoint, use only authorized test data during development, and do not send real financial data unless the user has approved the exact request.
Installing an unreviewed or unexpected package version could introduce dependency risk.
The README suggests installing an unpinned third-party cryptography package. It is a manual, purpose-aligned setup step rather than an automatic install, but still carries normal package-provenance risk.
pip install gmssl
Pin and verify dependency versions, install from trusted sources, and review cryptography library choices before production use.