CWork 工作协同

Send reports, create tasks, and manage drafts in the CWork collaboration platform with name resolution and draft confirmation workflow.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 124 · 0 current installs · 0 all-time installs

by@evan-zhang

duplicate of @evan-zhang/workspace-cwork

MIT-0

Security Scan

VirusTotal

Pending

View report →

OpenClaw

Suspicious

medium confidence

✓

Purpose & Capability

Name/description (send reports, create tasks, manage drafts) match the included code: many report/task/contacts/analysis modules and a shared cwork-client that calls a CWork API. The declared required env CWORK_APP_KEY is appropriate for an API-key-backed integration. The API base URL in api-reference points to a specific host (sg-al-cwork-web.mediportal.com.cn), which is consistent with an enterprise integration but note the skill's source/homepage are unknown.

ℹ

Instruction Scope

Runtime SKILL.md rules are scoped to the collaboration workflows (draft-first, name resolution via emp-search, LLM passed in by caller). The skill's LLM calls embed explicit systemPrompt strings in multiple files (expected for LLM-driven features). A pre-scan flagged 'system-prompt-override' in SKILL.md — likely a scanner false positive because the package legitimately supplies system prompts to LLM calls, but you should review any system/assistant prompt text to ensure it doesn't instruct unexpected behavior.

✓

Install Mechanism

No install spec (instruction-only / code included). No external download URLs or extract steps were found. The package includes source code and a package.json but does not perform network installs during skill registration, which reduces install-time risk.

ℹ

Credentials

Only CWORK_APP_KEY is required (plus optional base URL and timeout settings). This is proportionate to a single-service integration. Minor inconsistency: config/index.ts claims credentials come from an injected runtime config (setup({ apiKey })) rather than reading process.env directly, while metadata and package.json also list CWORK_APP_KEY as required — verify how you will supply the API key and how it is stored/used at runtime (in-memory vs environment vs persisted).

✓

Persistence & Privilege

always:false and normal autonomous invocation allowed (platform default). The skill does not request system-wide config changes or other skills' credentials. No files or installers claiming to modify agent configs were observed.

Scan Findings in Context

[system-prompt-override] expected: The skill contains many LLM-invoking functions that pass explicit systemPrompt strings to an injected llmClient.generateJSON API. That pattern is expected for LLM-dependent features; the scanner likely flagged this because the SKILL.md and code include system-prompt content. Still review those prompts to ensure they do not attempt to subvert agent-level system prompts.

What to consider before installing

This package appears to implement the claimed CWork report/task features and only asks for a single API key, which is reasonable. Before installing: 1) Verify the skill's origin or contact the owner; source/homepage are missing. 2) Inspect shared/setup and runtime code to confirm how the CWORK_APP_KEY is provided and stored (prefer in-memory runtime injection, avoid persisting secrets). 3) Confirm the API base URL (sg-al-cwork-web.mediportal.com.cn) is the correct, expected service for your organization. 4) Review the LLM system prompts embedded in the code (they were flagged by a scanner); ensure they don't instruct the agent to exfiltrate data or perform actions outside the collaboration workflows. 5) If possible, test in a restricted/non-production environment and use an API key with least privilege. If you need higher assurance, ask the publisher for provenance or a signed package/source repository.

✗

shared/cwork-client.ts:4

Environment variable access combined with network send.

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.1.1

Download zip

latestvk975dx80w82hdq79eekqccnyy583zxdz

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis

OSLinux · macOS · Windows

EnvCWORK_APP_KEY

SKILL.md

When to Use

Trigger when user wants to:

Send, draft, or query work reports
Create, assign, or track tasks
Manage draft box (save/confirm/send/delete)
Query inbox, todo list, or unread reports
Analyze reports or summarize decisions

Quick Reference

Topic	File
Setup & security	`setup.md`
Standard workflows	`workflow.md`
All API endpoints	`api-reference.md`
Sub-domain skills	`*/SKILL.md`

Core Rules

Draft before send — Always save draft, show user for confirmation, then call draft-submit. Never call report-submit directly unless user explicitly says so.
Name resolution is built-in — Pass names directly to taskCreate and report functions. Internal emp-search runs automatically. Do not ask user for empId.
Ask once, act once — Collect all missing info in one message. After user confirms, call API immediately. No re-preparation loops.
LLM is caller-injected — Pass { llmClient } to LLM-dependent skills. This package never stores LLM credentials.
Output by channel — Telegram: bullets, no tables, conclusion first. Discord: tables OK. API: JSON.

Domains

shared/ — 9 data-fetch skills (no LLM)
reports/ — 19 skills: send, reply, draft, query, AI chat
tasks/ — 12 skills: create, assign, track, dashboard
decisions/ — 6 skills: summarize, extract conclusions
closure/ — 5 skills: status check, reminder
analysis/ — 6 skills: trends, highlights
contacts/ — 4 skills: groups management
llm/ — 1 skill: multi-source aggregation

Files

85 total

Select a file

Select a file to preview.

Comments

Loading comments…