Cms Auth Skills
v2.3.6CMS 基础鉴权 Skill。任何业务接口 Header 需要 appKey 或 access-token 时都必须先触发本 Skill。支持从上下文、环境变量、sender_id+account_id、appKey换token,并在失败时向用户索要 appKey(工作协同 key / cowork key)。
⭐ 0· 278·1 current·1 all-time
by@spzwin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description state the skill will resolve appKey/access-token. The Python code implements exactly that: reading env vars XG_BIZ_API_KEY and XG_USER_TOKEN, exchanging appKey for tokens via TOKEN_AUTH_URL, resolving appKey via APPKEY_API_URL, and caching results. Hard-coded API endpoints and request key are consistent with the described CMS integration.
Instruction Scope
SKILL.md instructs callers to run scripts/auth/login.py and follow the documented priority rules. The runtime behavior aligns: the code reads context/explicit args, environment variables, calls remote auth endpoints, and falls back to asking user for appKey. It also reads/writes local cache/log files and migrates legacy runtime directories — these filesystem actions are outside pure in-memory parsing and should be expected and reviewed.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded or installed automatically. However, bundled Python scripts require the third-party 'requests' library (not declared in registry metadata). No automatic code-download/update is performed (self_update only checks a remote version endpoint and signals when an update is available).
Credentials
Registry metadata lists no required env vars, but both SKILL.md and code use XG_BIZ_API_KEY and XG_USER_TOKEN (as optional credential sources). That is proportionate to the skill's purpose. The code will read these variables and will store resolved tokens/appKeys in a local auth cache.
Persistence & Privilege
The skill writes logs and an auth.json cache under a runtime root directory (e.g., .cms-log in the workspace), and may migrate legacy runtime directories. It caches appKey/token values by sender_id on disk. Persisted credentials are sensitive; this persistent storage and directory-migration behavior increases blast radius if the workspace is shared or untrusted.
Assessment
This skill appears to do what it says: it looks for appKey or token in context/env, exchanges appKey for a token via provider APIs, and caches results. Before installing, confirm you trust the remote endpoints (sg-cwork-web.mediportal.com.cn, sg-al-cwork-web.mediportal.com.cn, skills.mediportal.com.cn) and the repository owner. Note the skill will: 1) attempt network calls to those hosts; 2) require the Python 'requests' package (not declared); 3) persist appKey/token in a workspace .cms-log/state directory (auth.json) and may migrate legacy auth directories — these files can contain sensitive tokens. If you proceed, consider inspecting the bundled code yourself, restrict workspace access, and avoid putting high-privilege credentials into environment variables unless you trust the skill and endpoints. If you don't trust the remote hosts or the embedded APPKEY_REQUEST_KEY, do not install.Like a lobster shell, security has layers — review code before you run it.
latestvk978whrj8va6t3prctm6vkbpsn84eqpn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.