ClawHub

Cms Auth Skills

v2.3.6

CMS 基础鉴权 Skill。任何业务接口 Header 需要 appKey 或 access-token 时都必须先触发本 Skill。支持从上下文、环境变量、sender_id+account_id、appKey换token,并在失败时向用户索要 appKey(工作协同 key / cowork key)。

0· 336·1 current·1 all-time
by@spzwin

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for spzwin/cms-auth-skills.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Cms Auth Skills" (spzwin/cms-auth-skills) from ClawHub.
Skill page: https://clawhub.ai/spzwin/cms-auth-skills
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install cms-auth-skills

ClawHub CLI

Package manager switcher

npx clawhub@latest install cms-auth-skills
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description state the skill will resolve appKey/access-token. The Python code implements exactly that: reading env vars XG_BIZ_API_KEY and XG_USER_TOKEN, exchanging appKey for tokens via TOKEN_AUTH_URL, resolving appKey via APPKEY_API_URL, and caching results. Hard-coded API endpoints and request key are consistent with the described CMS integration.
Instruction Scope
SKILL.md instructs callers to run scripts/auth/login.py and follow the documented priority rules. The runtime behavior aligns: the code reads context/explicit args, environment variables, calls remote auth endpoints, and falls back to asking user for appKey. It also reads/writes local cache/log files and migrates legacy runtime directories — these filesystem actions are outside pure in-memory parsing and should be expected and reviewed.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded or installed automatically. However, bundled Python scripts require the third-party 'requests' library (not declared in registry metadata). No automatic code-download/update is performed (self_update only checks a remote version endpoint and signals when an update is available).
Credentials
Registry metadata lists no required env vars, but both SKILL.md and code use XG_BIZ_API_KEY and XG_USER_TOKEN (as optional credential sources). That is proportionate to the skill's purpose. The code will read these variables and will store resolved tokens/appKeys in a local auth cache.
!
Persistence & Privilege
The skill writes logs and an auth.json cache under a runtime root directory (e.g., .cms-log in the workspace), and may migrate legacy runtime directories. It caches appKey/token values by sender_id on disk. Persisted credentials are sensitive; this persistent storage and directory-migration behavior increases blast radius if the workspace is shared or untrusted.
Assessment
This skill appears to do what it says: it looks for appKey or token in context/env, exchanges appKey for a token via provider APIs, and caches results. Before installing, confirm you trust the remote endpoints (sg-cwork-web.mediportal.com.cn, sg-al-cwork-web.mediportal.com.cn, skills.mediportal.com.cn) and the repository owner. Note the skill will: 1) attempt network calls to those hosts; 2) require the Python 'requests' package (not declared); 3) persist appKey/token in a workspace .cms-log/state directory (auth.json) and may migrate legacy auth directories — these files can contain sensitive tokens. If you proceed, consider inspecting the bundled code yourself, restrict workspace access, and avoid putting high-privilege credentials into environment variables unless you trust the skill and endpoints. If you don't trust the remote hosts or the embedded APPKEY_REQUEST_KEY, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk978whrj8va6t3prctm6vkbpsn84eqpn
336downloads
0stars
14versions
Updated 2w ago
v2.3.6
MIT-0
@spzwin
latest
Download

cms-auth-skills

版本: v2.3.4

定位

  • 本 Skill 只负责鉴权值解析,输出 appKeyaccess-token
  • 术语统一:appKey = 工作协同 key = cowork key
  • 任何业务接口需要鉴权 Header,都必须先触发本 Skill

AI 执行总规则

  1. 先判断目标接口需要 appKey 还是 access-token
  2. 再按固定优先级解析,不要跳步骤
  3. 解析失败时,只向用户索要 appKey
  4. appKey 解析与 access-token 解析是两个独立步骤:只需要 appKey 时,不要主动换 access-token
  5. 统一通过 scripts/auth/login.py 执行,不需要读取或分析 scripts/auth/*.py 源码

支持能力(5 条)

  1. 支持从上下文/显式参数直接获取 appKeyaccess-token
  2. 支持从环境变量获取(并做判空):XG_BIZ_API_KEYXG_USER_TOKEN
  3. 支持通过 appKey 获取 access-token
  4. 支持通过 sender_id + account_id 获取 appKey
  5. 支持在自动解析失败时向用户索要 appKey

解析优先级(必须按顺序)

目标是 appKey

  1. 上下文/显式 appKey
  2. 环境变量 XG_BIZ_API_KEY
  3. sender_id + account_id
  4. 向用户索要 appKey

目标是 access-token

  1. 上下文/显式 access-token
  2. 上下文/显式 appKey -> 换 access-token
  3. 环境变量 XG_USER_TOKEN
  4. 环境变量 XG_BIZ_API_KEY -> 换 access-token
  5. sender_id + account_id -> appKey -> access-token
  6. 向用户索要 appKey

上下文字段兼容

  • appKeyappKey / app_key / appkey
  • access-tokenaccess-token / access_token / token
  • sender_idsender_id / senderId / send_id / sendId
  • account_idaccount_id / accountId

CLI

推荐参数:

  • --app-key
  • --access-token
  • --sender-id
  • --account-id
  • --resolve-app-key
  • --ensure
  • --update

兼容旧调用:

  • --context-json

常用示例

# 直接返回 token
python3 login.py --ensure --access-token "your-token"

# 用 appKey 换 token
python3 login.py --ensure --app-key "your-app-key"

# 只解析 appKey
python3 login.py --resolve-app-key --sender-id "user-001" --account-id "xgjk_prod"

# 兼容旧调用
python3 login.py --ensure --context-json '{"appKey":"your-app-key"}'

Comments

Loading comments...