Yunshang Aifei Cli Share

This skill is a legitimate-looking API client for an internal OA system, but before installing consider the following: - The code expects AIFEI_USERNAME and AIFEI_PASSWORD in a .env file — the registry metadata did not declare these, so you must provide credentials for it to work. Keep the .env private. - For captcha solving the module will try to find a DASHSCOPE_API_KEY. If you do not set DASHSCOPE_API_KEY in .env, the module will scan your OpenClaw config (~/.openclaw/openclaw.json and a sibling path) and use any found provider apiKey to call DashScope. If you do not want this skill to access other tool credentials, remove that logic or ensure OpenClaw config does not contain reusable secrets. - The captcha solver sends base64 image data to an external model endpoint using the discovered API key. That is functional for automation but means an external service will process captcha images; confirm you are comfortable with that data flow and that the API key’s provider is trusted. - The client caches tokens in files inside the skill workspace. If multiple users share the workspace, tokens could be reused; secure the workspace directory. If you want to proceed but reduce risk: - Provide DASHSCOPE_API_KEY explicitly in .env tied to a limited-scope account, or disable/replace the captcha solver with a local/manual step. - Inspect and, if necessary, remove the code paths that read OpenClaw configuration before running. - Run the tool only on the intended internal network (the API endpoints are internal IPs) and review the generated .token-*.json files after use. Given the mismatches and the skill reading other config files for API keys, treat this as suspicious until you confirm or restrict the credential-access behavior.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.