SFE维盛数据查询
ReviewAudited by ClawScan on May 13, 2026.
Overview
The skill mostly matches its stated data-query purpose, but it needs review because it can use an app key to fetch broad business reports and instructs the agent to force-install an authentication dependency.
Before installing, confirm that you trust the cms-auth-skills dependency source, approve any dependency installation manually, use a least-privilege appKey, verify the API base URL is the intended production domain, and require scoped filters such as zoneId before running report queries.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the appKey has broad access, the agent may be able to retrieve more report data than the user intended, and a misconfigured base URL could send the key to the wrong endpoint.
The script sends an appKey to the API host and only includes zoneId when provided, even though the documentation says zoneId is required. The destination host can also be overridden by an environment variable.
BASE_URL = os.environ.get("XG_BIZ_API_BASE_URL", "https://erp-web.mediportal.com.cn/erp-open-api") ... headers = {"appKey": os.environ.get("XG_BIZ_API_KEY", ""), ...} ... body = {"page": page}; if zone_id is not None: body["zoneId"] = zone_idRequire and validate zoneId or other scope filters before queries, restrict the API base URL to approved production domains, and declare the required credential/environment variables in metadata.
Installing the skill could cause the agent to add or overwrite another skill that handles authentication, increasing supply-chain and credential-handling risk.
The skill instructs the agent to install an authentication dependency automatically, using --force and a GitHub fallback whose contents are not included in the reviewed artifacts.
如果未安装,先执行 `npx clawhub@latest install cms-auth-skills --force` ... 再执行 `npx clawhub@latest install https://github.com/spzwin/cms-auth-skills.git --force`
Make dependency installation an explicit user-approved setup step, avoid --force by default, pin or verify the dependency source/version, and include enough dependency documentation for review.
A user may not see warnings if TLS verification is later disabled or misconfigured.
The script suppresses TLS warning messages. The shown request does not disable certificate verification, but suppressing these warnings can hide future or environmental TLS misconfiguration.
warnings.filterwarnings("ignore", category=requests.packages.urllib3.exceptions.InsecureRequestWarning)Remove the warning suppression unless certificate verification is intentionally and safely configured; do not disable TLS verification for production API calls.