ClawHub

Fxiaoke Sales Record Publish

v1.0.1

自动检测登录并使用保存的cookies,智能填写销售记录必填项,一键发布纷享销客CRM销售记录,保证100%成功率。

0· 235·0 current·0 all-time
byqinlong@pandasun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Metadata and description claim a Fxiaoke (CRM) sales-record publisher that uses saved cookies, but the repository contains a 'space-login' simulation (SKILL.md, space_login.py, examples) with no code touching CRM or cookies. Required env/config listed as none, yet documentation references SPACE_API_KEY and SPACE_CENTER. The requested capabilities do not match the stated purpose.
Instruction Scope
SKILL.md is a full simulated-service doc (space-login) and its runtime instructions are limited to running local Python scripts and copying a config file. The Python code reads a local config.json only and performs no network calls or file reads outside its config. However, SKILL.md mentions environment variables (SPACE_API_KEY) that are not declared in the skill metadata, which is an inconsistency worth flagging.
Install Mechanism
There is no install spec in registry (instruction-only), but the package includes Python files and a requirements.txt (empty). Installation instructions tell the user to pip install -r requirements.txt. No third-party downloads or remote installers are present — low technical install risk — but the registry claiming 'instruction-only' while providing code is an inconsistency.
!
Credentials
Declared required env vars: none. SKILL.md, however, documents environment variables (SPACE_API_KEY, SPACE_CENTER) and suggests editing config.json. The original skill description implied access to saved cookies and CRM credentials but no such credentials are requested or used by the included code. That mismatch (advertised credential needs vs. actual code) is suspicious.
Persistence & Privilege
No 'always: true', no install-time scripts that modify other skills or system-wide settings, and the code does not persist secrets or write outside its own config file. Privilege/persistence requests are minimal.
What to consider before installing
Do not install or grant credentials yet. The package metadata claims a CRM publisher that would need cookies/credentials, but the shipped code and docs implement an unrelated 'space-login' simulator and do not request or use CRM credentials — this is a red flag. Actions to take before proceeding: 1) Ask the publisher/registry why the name/description differ from the files and request a trusted source or homepage. 2) Inspect the code yourself or have someone review it (look for network calls, os.exec, requests, or hidden endpoints). 3) If you must test, run it in an isolated sandbox or VM with no access to sensitive credentials. 4) Never provide CRM cookies/API keys until the provider and code are verified. 5) Prefer packages with a verifiable homepage, source repo, and clear ownership.

Like a lobster shell, security has layers — review code before you run it.

latestvk973pxwq20pd88c3ag8f4pkk4x8298th

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments