泛微 e-office v11 协同办公系统 OpenAPI
v1.0.1泛微 e-office 协同办公系统 OpenAPI - 用户管理、部门管理、审批流程、考勤等企业级 API
⭐ 1· 112·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, declared env vars (EOFFICE_BASE_URL, EOFFICE_AGENT_ID, EOFFICE_SECRET, EOFFICE_USER), example curl commands and the included get-token.py script all align with a client for e-office OpenAPI. No unrelated cloud credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to call scripts/get-token.py to obtain a token and then call the documented OA endpoints. The README and script only perform HTTP requests to the provided EOFFICE_BASE_URL. Two items to note: (1) SKILL.md states the agent "will automatically cache token / refresh when expired" — the repository contains a refresh helper but no persistent cache implementation, so caching is an agent/platform responsibility (possible minor mismatch between claim and provided code); (2) the get-token.py prints the token to stdout, which may expose tokens in logs or agent transcripts if not handled carefully.
Install Mechanism
No install spec is provided (instruction-only skill with a small helper script). The only runtime dependency is Python + requests (not unusual). There are no downloads from arbitrary URLs or archive extraction steps. Risk from install mechanism is low.
Credentials
Required env vars (base URL, agent id, secret, user) are appropriate for the described OpenAPI. The get-token.py script also optionally reads EOFFICE_TOKEN and EOFFICE_REFRESH_TOKEN for refresh flow; those are not listed as required in SKILL.md but are optional and reasonable. All requested variables are OA-specific and proportionate — no unrelated secrets are requested.
Persistence & Privilege
Skill does not request always:true and does not ask to modify other skills or system settings. It claims token caching and automatic refresh, which is normal for API client behavior; persistent storage of tokens would be handled by the agent/runtime, not the skill files themselves.
Assessment
This skill appears to do what it says: it needs your e-office Base URL, Agent ID, Secret, and a user identifier to obtain tokens and call OA APIs. Before installing: (1) verify the skill's source/maintainer — the repository homepage is a placeholder (https://github.com/yourname) and the package owner is unknown; prefer an official or audited source; (2) ensure EOFFICE_BASE_URL points to your trusted OA instance (do not point it at a third-party server you don't control); (3) treat EOFFICE_SECRET as sensitive — use least-privilege application credentials and consider creating an app scoped only to required operations; (4) be aware get-token.py prints tokens to stdout (which could be captured in logs/transcripts) — confirm your agent/platform handles secrets and logs securely; (5) confirm whether your OpenClaw agent runtime provides secure token caching/refresh — SKILL.md claims automatic caching but the repo provides only a helper script, not persistent storage. If any of the above concerns are unacceptable, review or host the code yourself and test the script locally before enabling the skill in production.Like a lobster shell, security has layers — review code before you run it.
latestvk97d0jst0fbedxagmeyweks4mx83e2et
License
MIT-0
Free to use, modify, and redistribute. No attribution required.