Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
NaviOffice Skill
v1.0.3NaviOffice OA 办公系统 MCP 集成技能 - 覆盖系统管理、人力资源、考勤、财务、CRM、销售、采购、库存、项目、生产、计量检测 11 大模块,支持数据查询与业务操作。
⭐ 0· 63·0 current·0 all-time
byvincent66@zhaowb82
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description (NaviOffice OA integration) aligns with the provided code and reference docs: the CLI scripts make authenticated HTTP calls to the described API and the references enumerate expected modules. However the registry metadata claims 'Required env vars: none' while the SKILL.md and the included scripts clearly require NAVI_OFFICE_API_TOKEN (and optionally NAVI_OFFICE_API_URL / NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN). This metadata omission is an inconsistency that reduces transparency.
Instruction Scope
SKILL.md and the scripts instruct the agent to read a .env file placed in the skill directory and to send requests to the configured API endpoint using X-Api-Token. That's reasonable for an API integration. However both the JS and Python scripts contain a broken domain validation check (they compare a hostname to the full URL string 'https://oa.teredy.com/api'), which will reject the official domain unless NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true is set. That behavior contradicts the SKILL.md security guidance and can push users to explicitly allow custom domains, increasing risk of sending tokens to arbitrary endpoints.
Install Mechanism
There is no install spec; the skill is instruction/code-only and does not download external archives or run an installer. That keeps install-time risk low. The skill does include three CLI scripts (shell, Python, Node) which will be executed by the agent or by the user if invoked.
Credentials
The runtime requires NAVI_OFFICE_API_TOKEN (and optionally NAVI_OFFICE_API_URL and NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN) to operate — appropriate for an API client. But the registry metadata does not declare any required env vars (discrepancy). Additionally, the broken domain validation forces users to set NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true (or otherwise circumvent validation), which is a disproportionate and dangerous action because it weakens the domain whitelist and can permit use of arbitrary endpoints that could receive the token.
Persistence & Privilege
The skill does not request 'always: true' or any elevated persistent platform privileges, nor does it modify other skills or system-wide configuration. It reads a .env from its own skill directory (documented).
What to consider before installing
This skill appears to be a genuine NaviOffice API client, but there are important red flags you should consider before installing or using it:
- Secrets required: The SKILL.md and the included scripts require NAVI_OFFICE_API_TOKEN (and optionally NAVI_OFFICE_API_URL and NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN), but the registry metadata lists no required env vars. Treat this as a transparency/packaging mistake — assume you must provide an API token for the skill to work.
- Broken domain validation: Both the JS and Python scripts have a bug that compares the parsed hostname to the full URL string 'https://oa.teredy.com/api'. As written, the scripts will reject the official domain and terminate unless NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true is set. That effectively forces users to enable "allow custom domain" to proceed, which is risky because it relaxes the whitelist and could allow the token to be sent to an arbitrary endpoint.
- Before using the skill, do one or more of the following:
- Inspect the scripts (navioffice.js / navioffice.py) yourself or ask the author to fix the domain-check bug so the allowed host is compared correctly (should compare hostname to 'oa.teredy.com' or compare the full URL string consistently). A safe fix: validate that the parsed hostname === 'oa.teredy.com' (or if you want to allow subdomains, check suffix).
- If you must test, use a non-production API token with minimal privileges and run the tool in an isolated environment/network where you can monitor outbound requests.
- Do not set NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true unless you fully trust the endpoint. If you do set it, ensure NAVI_OFFICE_API_URL points to a vetted, internal, or otherwise trusted host.
- Ask the publisher to update registry metadata to declare NAVI_OFFICE_API_TOKEN as a required env var so the platform can surface the requirement.
- Prefer the Python/Node shells only after verifying they send traffic to the intended hostname and not to unknown third parties.
Given the missing metadata and the domain-validation bug (which has a direct security impact), treat this package as suspicious until the author corrects the issues or you perform an independent code/network audit.Like a lobster shell, security has layers — review code before you run it.
latestvk97espxmn34qpkhbxpgvnvghss848wcy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.