Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cms Cwork Skils
v1.0.0CWork 工作协同原子能力集,覆盖员工搜索、文件上传下载、发送/回复汇报、收发件箱、汇报详情、任务、待办、事项、插件聚合、新消息、已读状态与 AI 问答;适用于“汇报、待办、任务、附件、消息、已读、员工查询”等场景;仅支持 appKey 鉴权并按需加载接口执行组合调用。
⭐ 0· 131·1 current·1 all-time
by@spzwin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description, openapi docs and Python scripts consistently implement CWork collaboration actions (search users, upload/download files, send/reply reports, todos, SSE AI QA). That fits the stated purpose. However the package metadata declares no required credentials or env vars while the SKILL.md and scripts explicitly rely on an `appKey` (XG_BIZ_API_KEY / XG_APP_KEY) provided by a separate helper skill (cms-auth-skills). The missing declaration of required credential/env in the registry metadata is an inconsistency.
Instruction Scope
SKILL.md explicitly instructs the agent to read cms-auth-skills/SKILL.md and — if not present — to run `npx clawhub@latest install cms-auth-skills --force` or fall back to installing from a GitHub repo. That is an instruction to fetch and execute external code. The SKILL.md also enforces a strict authentication charter (never ask user for tokens, only use the helper). While this may be intended to centralize auth, it also reduces transparency and could be used to hide credential handling. Scripts perform file uploads/downloads and require local file paths when uploading; those file operations are normal for the stated purpose but should only run with explicit user consent.
Install Mechanism
There is no formal install spec in registry metadata (instruction-only), but the runtime instructions direct the agent to run npx to install another skill and possibly pull from a GitHub repository. Using npx to fetch & run packages (and falling back to a GitHub repo) is higher risk because it executes remote code not pre-declared in the registry. The fallback to a direct GitHub install is especially sensitive.
Credentials
The manifest lists no required env vars, but the SKILL.md and scripts expect an `appKey` provided as environment variables (XG_BIZ_API_KEY / XG_APP_KEY) and rely on cms-auth-skills to produce it. No unrelated cloud credentials are requested. The mismatch between declared 'none' and actual appKey dependency is a proportionality/visibility issue that should be fixed before trust.
Persistence & Privilege
always:false (good), but runtime instructions instruct the agent to install another skill (cms-auth-skills) into the environment via npx/git. That is an action that changes the agent runtime (writes/installs code) and increases persistence/privilege surface. The skill does not itself declare always:true, but its install guidance effectively grants it the ability to pull and install code autonomously — a notable privilege.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained unicode control character patterns flagged by the pre-scan. This can be used for prompt-injection or display obfuscation; it is not expected for a straightforward API wrapper and should be inspected (could be accidental encoding or deliberate).
What to consider before installing
This package appears to implement a real CWork API wrapper (scripts, OpenAPI docs match), but there are three main caution points:
1) Authentication handling: the skill relies on an external helper `cms-auth-skills` to produce an appKey and instructs the agent to never ask the user about tokens. Confirm where `cms-auth-skills` comes from and review its code/behavior. Do not run this skill until you trust that helper.
2) Auto-install instructions: SKILL.md tells the agent to run `npx ... install` and fall back to a GitHub repo. Running npx or installing from GitHub executes remote code and can modify your environment. Prefer to manually inspect and install `cms-auth-skills` from a vetted source (or reject the skill) rather than allowing automated installs.
3) Metadata/document mismatch & obfuscation signal: the registry metadata declares no required env vars, but scripts need appKey env vars. Also the pre-scan found unicode-control characters in SKILL.md (prompt-injection/obfuscation risk). Ask the publisher for a clear provenance statement and for the missing env/credential declarations to be fixed.
Practical steps before installing:
- Request the canonical source URL or a signed release for both this skill and cms-auth-skills; do not rely on npx fallbacks.
- Manually review the cms-auth-skills code, especially login.py --resolve-app-key, to see how credentials are obtained/stored and whether any secrets are transmitted to third parties.
- Run the scripts in an isolated sandbox without privileged credentials and with network restrictions until validated.
- If you will provide an appKey, ensure it is scoped and revocable; avoid supplying any broad or cloud-level secrets.
Because of these inconsistencies and the installation behavior, treat this skill as suspicious until provenance and the auth-install flow are validated.Like a lobster shell, security has layers — review code before you run it.
latestvk978cf2t298vtay47g5mh0nv3s84d4yc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.