云之家表单通用解析规则
PassAudited by ClawScan on May 11, 2026.
Overview
This is a documentation-only YunZhijia form parsing/building skill; the only notable issue is a token-like access-token example in the attachment download reference.
This skill appears safe to install as documentation, but review the attachment download example carefully: do not include real YunZhijia access tokens in the skill files or prompts, and only let the agent download files when you have intentionally provided the fileId and token.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the agent could retrieve YunZhijia attachment content for the provided fileId.
The reference documents a direct authenticated API download command. It is purpose-aligned for attachment widgets and there is no automatic execution, but it should only be run with the user's explicit fileId and approval.
curl -X GET 'https://www.yunzhijia.com/docrest/doc/user/downloadfile?fileId=5b860345b6238e3d9e9e1973'
Treat the curl command as reference only; confirm the target fileId and token with the user before any download.
A real YunZhijia access token could allow authenticated access to files or account resources depending on its scope.
The documentation includes a token-like access-token header. It appears to be an illustrative or masked sample and is not used by code, but access tokens are sensitive credentials.
-H 'x-accessToken: iq0lfXAJCu2GlxxxxdZpLxxxx3ihC590'
Replace the sample with a neutral placeholder such as <YOUR_ACCESS_TOKEN>, and never paste or store real access tokens in shared skill files.