Weaver E10 Api
v0.1.1泛微 E10 系统 API 调用工具,支持流程创建、待办查询、审批提交、流程退回等操作。使用 OAuth2.0 认证,自动管理 token 刷新。
⭐ 0· 216·0 current·0 all-time
by老练的小四@xfnet
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description match the code: it is an OAuth2 client for 泛微 E10 that creates workflows, queries todos, approves/rejects requests. However the registry metadata declares no required environment variables or config paths while the runtime code requires WEAVER_API_BASE, WEAVER_APP_KEY, WEAVER_APP_SECRET, WEAVER_CORPID and reads a specific env file path. This mismatch is unexpected and should be clarified.
Instruction Scope
SKILL.md instructs the user to store credentials in /ollama/workspace/.env/weaver-e10.env and documents token caching at ~/.weaver-e10/token.json. The runtime code indeed reads that exact workspace .env path and writes a token cache to the user's home. The instructions therefore cause the agent to read/write files on disk (workspace .env and home token file) — these actions are within the declared functional scope but they were not declared in the registry metadata, and the SKILL.md references an auth.py module that is not present in the file manifest, which is an inconsistency.
Install Mechanism
There is no install spec (instruction-only install), which is low risk. The package does include a Python script (scripts/weaver-e10.py) that will be executed by the user/agent; nothing is downloaded from third-party URLs and no install-time arbitrary downloads are present.
Credentials
The code requires four service-specific environment variables (WEAVER_API_BASE, WEAVER_APP_KEY, WEAVER_APP_SECRET, WEAVER_CORPID) and reads a workspace .env file, but the registry metadata lists no required env vars or config paths. That omission is a mismatch and increases risk because users may not realize sensitive credentials are needed or exactly where they will be read from/written to (token cache in home).
Persistence & Privilege
The skill is not configured as always:true and does not request system-wide privileges. It writes its own token cache (~/.weaver-e10/token.json) and reads the specified .env file; it does not modify other skills or global agent config. Autonomous invocation is allowed (platform default) but is not coupled with unusually broad privileges here.
What to consider before installing
This skill's code appears to implement the Weaver E10 API client described, but the package metadata does not declare the environment variables or config paths the code actually needs. Before installing or supplying credentials: 1) Inspect the full script (weaver-e10.py) yourself to confirm no hidden endpoints or unexpected network calls; 2) Do not place production credentials into a shared or public workspace path — prefer a secure location and verify the code reads the path you expect (it currently uses /ollama/workspace/.env/weaver-e10.env); 3) Confirm the token cache location (~/.weaver-e10/token.json) is acceptable and protected (chmod 600); 4) Ask the publisher why SKILL.md references an auth.py that is not in the manifest and update metadata to list required env vars; 5) Only point WEAVER_API_BASE to an internal, trusted E10 server. These inconsistencies look like sloppy packaging rather than an obvious backdoor, but verify before giving this skill access to sensitive credentials.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
泛微 E10 API 调用 Skill
功能列表
| 功能 | 命令 | 说明 |
|---|---|---|
| 获取 Token | weaver-e10 auth | 获取/刷新 access_token |
| 创建流程 | weaver-e10 create | 发起新的审批流程 |
| 查询待办 | weaver-e10 todos | 获取用户待办列表 |
| 提交审批 | weaver-e10 approve | 提交/同意流程 |
| 退回流程 | weaver-e10 reject | 退回审批流程 |
| 查询流程 | weaver-e10 get | 获取流程详情 |
环境变量配置
在 /ollama/workspace/.env/weaver-e10.env 中配置:
# 泛微 E10 API 配置
# ⚠️ 请替换为你自己的实际值,不要使用示例中的占位符
WEAVER_API_BASE=http://your-weaver-server:port
WEAVER_APP_KEY=your_app_key_here
WEAVER_APP_SECRET=your_app_secret_here
WEAVER_CORPID=your_corpid_here
🔒 安全警告
-
凭证保管:
.env/weaver-e10.env文件包含敏感凭证,请:- 不要提交到 Git 等版本控制系统
- 设置文件权限:
chmod 600 .env/weaver-e10.env - 不要通过聊天工具、邮件等方式明文传输
-
Token 缓存:Token 缓存在
~/.weaver-e10/token.json,请:- 确保家目录权限安全
- 定期清理过期 token
- 不要在共享主机上使用
-
网络隔离:建议在内部网络使用,避免暴露在公网
使用示例
1. 获取 Token(自动)
# 首次获取
weaver-e10 auth
# 输出
{
"access_token": "xxx",
"expires_in": 7200,
"refresh_token": "xxx"
}
2. 创建流程
weaver-e10 create \
--userid 731942425541656576 \
--workflow-id 5955363498899145211 \
--title "请假申请" \
--form-data '{"dataDetails": [{"fieldId": "123", "content": "张三"}]}' \
--next-flow
3. 查询待办
weaver-e10 todos --userid 731942425541656576 --page 1 --size 20
4. 提交审批
weaver-e10 approve \
--userid 731942425541656576 \
--request-id 848951654078865410 \
--remark "同意"
5. 退回流程
weaver-e10 reject \
--userid 731942425541656576 \
--request-id 848951654078865410 \
--reject-type 1 \
--remark "资料不全,请补充"
认证流程
1. 调用 /oauth2/authorize 获取 code(10 分钟有效)
2. 调用 /oauth2/access_token 用 code 换 token(2 小时有效)
3. token 过期后自动用 refresh_token 刷新(24 小时有效)
4. refresh_token 过期后重新授权
错误码
| 错误码 | 说明 |
|---|---|
| 0 | 成功 |
| 40001 | token 无效或过期 |
| 40002 | 权限不足 |
| 40003 | 参数错误 |
| 50000 | 系统错误 |
注意事项
- Token 管理:token 自动缓存到
~/.weaver-e10/token.json - 自动刷新:token 过期前 5 分钟自动刷新
- 表单数据:formData 必须是合法 JSON
- 人员 ID:userid 必须是泛微系统中的用户 ID
文件结构
weaver-e10-api/
├── SKILL.md # 本文档
├── _meta.json # 元数据
├── scripts/
│ ├── weaver-e10.py # 主程序
│ └── auth.py # 认证模块
└── examples/
├── create_request.json
└── approve_request.json
Files
5 totalSelect a file
Select a file to preview.
Comments
Loading comments…