Back to skill
Skillv1.2.0
ClawScan security
KingdeeDataExporter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 8:33 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it claims (export K3Cloud data to Excel); the code and instructions are coherent, but the package metadata omits that account credentials or a filled config.py are required — review where you store credentials and optional webhook targets before running.
- Guidance
- This skill is a self-contained Python exporter for Kingdee K3Cloud; it needs your K3Cloud account (base_url, acctid, username, password) which you must put into config.py or provide via environment variables. Before installing/running: - Do not commit config.py with real credentials to any public repo. Use the provided config.example.py locally. - Inspect data_exporter.py yourself (or run in an isolated environment) to confirm the base_url used is your K3Cloud host; the script will make HTTP requests to base_url + '/k3cloud/' and may post notifications to the WECHAT webhook if configured. - Only set WECHAT_WEBHOOK to a trusted webhook URL (it will receive notification payloads — do not point it at unknown endpoints if you are concerned about leaking exported data). - Dependencies are standard Python packages; install them from PyPI if you trust the environment. Consider running in a virtualenv. - The registry metadata omitted declaring required env vars/credentials; that is an informational issue (not malware), so treat credentials as sensitive and verify the code if you need higher assurance. If you need stronger assurance, request the full data_exporter.py review (network call locations and any non-obvious data sinks) or run the script in a network-restricted sandbox first.
Review Dimensions
- Purpose & Capability
- noteName/description, SKILL.md, README, and code consistently implement a K3Cloud (Kingdee K3Cloud) data exporter. However, registry metadata lists no required environment variables or primary credential while the shipped code expects KINGDEE account info (via config.py or environment variables). This is coherent with the purpose but the metadata omission is a packaging/information gap the user should know about.
- Instruction Scope
- okSKILL.md tells the user to install dependencies, copy/fill config.py, and run data_exporter.py (and optionally the filter script). The runtime instructions only reference the K3Cloud base_url/acctid/username/password and an optional WECHAT webhook; they do not instruct reading unrelated system files or contacting unexpected external endpoints. The optional WeChat webhook is an expected integration for notifications.
- Install Mechanism
- okNo automated install spec; this is an instruction-and-code skill. Dependencies are standard Python packages (requests, pandas, python-dateutil, openpyxl) listed in requirements.txt — proportional for the work (HTTP calls + Excel). No downloads from arbitrary URLs or archive extraction were specified.
- Credentials
- noteThe code requires K3Cloud credentials (KINGDEE_BASE_URL, KINGDEE_ACCTID, KINGDEE_USERNAME, KINGDEE_PASSWORD) either via config.py or environment variables; WECHAT_WEBHOOK is optional. The registry metadata did not declare these env vars or a primary credential, which is an informational mismatch. The requested secrets are proportional to the exporter’s function, but they are sensitive and must be provided by the user.
- Persistence & Privilege
- okThe skill does not request permanent presence, does not modify other skills or global agent settings, and only writes export files (Excel) in the working directory. always is false and model invocation defaults are unchanged.