ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PKU CWFW

v1.0.0

北京大学财务综合信息门户 (cwfw.pku.edu.cn / WF_CWBS) CLI 工具。当用户提及 cwfw、财务门户、财务综合信息门户、个人酬金、工资查询、报销查询 时使用此 skill。Also use when dealing with cwfw IAAA 登录 (app_id=IIPF)、home...

0· 67·0 current·0 all-time
by@wjsoj

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wjsoj/pku-cwfw.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "PKU CWFW" (wjsoj/pku-cwfw) from ClawHub.
Skill page: https://clawhub.ai/wjsoj/pku-cwfw
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pku-cwfw

ClawHub CLI

Package manager switcher

npx clawhub@latest install pku-cwfw
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill name/description describe a concrete CLI client for PKU's cwfw (with Rust source files and a crate layout). However the registry package contains no code, no install spec, and no required-binaries declared. The instructions assume a 'cwfw' binary and an 'info-auth' helper; those are not provided or listed as requirements, which is incoherent.
!
Instruction Scope
SKILL.md instructs running commands (e.g., 'info-auth check', 'cwfw login -p', 'cwfw <query-cmd>'), describes multi-step SSO and encrypted form fields, and says sessions are persisted under '~/.config/info/cwfw/'. Those operational instructions imply the agent will execute binaries, perform authentication flows, handle user credentials, and read/write user config — none of which the skill declares or implements.
!
Install Mechanism
There is no install specification even though the document claims a built crate and multiple source files. That absence makes it unclear how the described CLI would be installed or where the referenced binaries come from.
!
Credentials
The skill describes interacting with IAAA SSO and session persistence but declares no environment variables or credential inputs. A real CLI that performs login would need credential handling; the lack of declared credentials or explicit guidance about how secrets are supplied is a mismatch and increases risk (user may be prompted to supply credentials ad-hoc).
Persistence & Privilege
always:false (good). The instructions state session persistence to '~/.config/info/cwfw/' which is expected for a CLI but should be made explicit. The skill does not request elevated privileges or system-wide changes, but it will create persistent files if the referenced CLI existed.
What to consider before installing
This package is instruction-only but claims a Rust CLI and lists many source files and commands; however no code or install is provided and no required binaries/credentials are declared. Do not run unknown commands suggested here (e.g., 'info-auth check' or 'cwfw login -p') until you have the actual binary or source and can verify it. Ask the publisher for: (1) the source or a signed release (GitHub release or official distro package), (2) an install spec or build instructions, and (3) explicit details on how credentials are handled and where session files are stored. If you must proceed, review the code locally before running it, and avoid entering SSO credentials into unverified tools.

Like a lobster shell, security has layers — review code before you run it.

clivk97c2eekzd1fre6cktjx0nr3n984x9zrcwfwvk97c2eekzd1fre6cktjx0nr3n984x9zrfinancevk97c2eekzd1fre6cktjx0nr3n984x9zrlatestvk97c2eekzd1fre6cktjx0nr3n984x9zrpayrollvk97c2eekzd1fre6cktjx0nr3n984x9zrpkuvk97c2eekzd1fre6cktjx0nr3n984x9zrrustvk97c2eekzd1fre6cktjx0nr3n984x9zr
67downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@wjsoj
clicwfwfinancelatestpayrollpkurust
Download

cwfw - 北大财务综合信息门户 CLI

A CLI client for PKU's financial information portal at cwfw.pku.edu.cn (WF_CWBS subsystem).

Architecture

  • Crate location: crates/cwfw/
  • Auth flow: IAAA SSO (app_id="IIPF") → cwfw.pku.edu.cn/WFManager/home2.jspfindpages_postData.actionhome3.jsp → WF_CWBS 子系统 entry(3 步 bootstrap 缺一不可)
  • API: HTML 抓取 + 加密的 form 字段

Key Source Files

  • src/main.rs — tokio::main 调用 pku_cwfw::run()
  • src/lib.rs — Clap CLI 定义
  • src/client.rs — reqwest client
  • src/login.rs — IAAA → multi-step bootstrap → WF_CWBS session
  • src/context.rs — 会话上下文(子系统 URL 等)
  • src/encrypt.rs — 表单字段加密(用于某些查询请求)
  • src/api.rs — 各查询 API
  • src/commands.rs — 子命令实现
  • src/display.rs — 终端渲染

CLI Commands

Command用途
login -pIAAA 登录 + cwfw 多步 bootstrap
status / logout会话管理
个人酬金 / 工资 / 报销查询详见 --help

Auto-Login for AI Agents

info-auth check
cwfw login -p
cwfw <query-cmd>

Development Notes

  • 多步 bootstrap 必须严格顺序执行,否则后续子系统访问会返回登录页
  • Session 持久化 ~/.config/info/cwfw/
  • 所有文案中文,anyhow::Result + .context("中文描述")
  • 某些表单字段需要加密(见 encrypt.rs),算法直接抄自网页 JS

Comments

Loading comments...