CMCC Digital Credential
v1.0.0Manage China Mobile Digital Credential flow by loading credentials, binding agent, and authorizing sensitive operations with secure HmacSHA256 signatures and...
⭐ 0· 61·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name and description match the included scripts: loading appId/appKey, binding the agent, requesting and polling authorizations, signing with HMAC-SHA256, and encrypting phone numbers. The network calls are to the expected authorization endpoints for this flow.
Instruction Scope
SKILL.md and the scripts stay within the stated scope: Phase 1 parses and saves credentials (no network), Phase 1.5 binds the agent, Phase 2 requests/polls authorization. The scripts only read the provided credential file and the memory file and do not attempt to read other system files or unrelated environment variables.
Install Mechanism
No install spec is provided (instruction-only), but the bundle includes Python scripts that import Crypto (PyCryptodome). Required runtime dependencies are not declared and will need to be installed by the user. This is a usability/operational gap rather than evidence of malicious behavior.
Credentials
The skill requests no environment variables and operates using appId/appKey provided in a user file, which is proportionate. It does persist plaintext/secrets to memory/cmcc-digital-credential.json on disk — necessary for operation but a sensitive action users should be aware of.
Persistence & Privilege
The skill does not request elevated platform privileges or always-on inclusion. It writes its own credential memory file and can perform network calls to the stated BASE_URL; it does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it claims, but review before installing: (1) source and provenance are unknown — prefer packages with a trusted homepage or repository; (2) the code will write your appKey/appId to memory/cmcc-digital-credential.json on disk (unencrypted) — consider file permissions or encrypted storage; (3) the scripts make network calls to https://vctest.cmccsign.com and will send an encrypted phone number and HMAC-signed payloads — confirm you trust that endpoint and its environment; (4) the bundle uses the Crypto library (PyCryptodome) but provides no install spec — ensure you install the correct dependencies and audit the code yourself; (5) the implementation uses AES/ECB and MD5-based key derivation (weak primitives) — if cryptographic strength is important, review protocol requirements with the service owner. If you are unsure, run it in an isolated environment, inspect/verify the endpoint, or request the package from a verified source.Like a lobster shell, security has layers — review code before you run it.
latestvk97efckc7n8t1newbqwh4xxyxs83kr5c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.