Weaver E10 Api
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill matches its stated Weaver E10 workflow purpose, but it can approve, reject, and create enterprise workflow records with OAuth credentials without documented confirmation safeguards.
Review this skill before installing. It appears purpose-aligned for Weaver E10 API automation, but only use it with a least-privilege app account and require explicit human confirmation before any approval, rejection, or workflow creation command is run.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with valid credentials and request IDs, the agent could create, approve, or reject real Weaver E10 workflow items, affecting business approvals.
These commands mutate enterprise workflow state. The artifacts do not document a mandatory user confirmation, approval preview, or other control before the agent can run the mutating operations through Bash.
| 创建流程 | `weaver-e10 create` | 发起新的审批流程 | ... | 提交审批 | `weaver-e10 approve` | 提交/同意流程 | ... | 退回流程 | `weaver-e10 reject` | 退回审批流程 |
Require explicit user confirmation for every create, approve, and reject action; show the user ID, workflow/request ID, title, form data, and remark before execution; and prefer read-only operations by default.
Anyone who can access the configured app secret or resulting token may be able to act through the Weaver E10 API according to that app's permissions.
The skill requires application credentials for delegated Weaver E10 API access. This is expected for the stated OAuth integration, but the credentials can authorize sensitive workflow actions.
WEAVER_APP_KEY=your_app_key_here WEAVER_APP_SECRET=your_app_secret_here WEAVER_CORPID=your_corpid_here
Use a least-privilege Weaver app account, restrict it to necessary workflow operations, rotate secrets regularly, and ensure the registry metadata clearly declares the required credentials.
A compromised local account or shared host could expose the cached token and allow unauthorized Weaver E10 API access.
The skill persists OAuth tokens locally for reuse and refresh. This is disclosed and purpose-aligned, but it leaves a reusable credential on disk.
Token 缓存在 `~/.weaver-e10/token.json`
Store the token file with restrictive permissions, avoid shared hosts, consider enforcing chmod 600 in the script, and delete the cache when the skill is no longer needed.
Users may have to rely on the provided artifacts alone when deciding whether to trust the skill.
The artifact provenance is limited, so users have less external context for verifying the publisher, upstream source, or release history.
Source: unknown Homepage: none
Verify the publisher and code before installation, and prefer skills with a clear source repository, homepage, and reproducible release metadata.