by 安全扫描
OpenClaw
可疑
medium confidenceThe code implements the described Weaver E10 API client and OAuth token management, but the package metadata and SKILL.md are inconsistent with the actual runtime requirements (missing declared env vars / config paths, a referenced auth.py is absent), so proceed with caution and verify credentials and file placement before installing.
评估建议
This skill's code appears to implement the Weaver E10 API client described, but the package metadata does not declare the environment variables or config paths the code actually needs. Before installing or supplying credentials: 1) Inspect the full script (weaver-e10.py) yourself to confirm no hidden endpoints or unexpected network calls; 2) Do not place production credentials into a shared or public workspace path — prefer a secure location and verify the code reads the path you expect (it curr...详细分析 ▾
ℹ 用途与能力
The skill's name/description match the code: it is an OAuth2 client for 泛微 E10 that creates workflows, queries todos, approves/rejects requests. However the registry metadata declares no required environment variables or config paths while the runtime code requires WEAVER_API_BASE, WEAVER_APP_KEY, WEAVER_APP_SECRET, WEAVER_CORPID and reads a specific env file path. This mismatch is unexpected and should be clarified.
⚠ 指令范围
SKILL.md instructs the user to store credentials in /ollama/workspace/.env/weaver-e10.env and documents token caching at ~/.weaver-e10/token.json. The runtime code indeed reads that exact workspace .env path and writes a token cache to the user's home. The instructions therefore cause the agent to read/write files on disk (workspace .env and home token file) — these actions are within the declared functional scope but they were not declared in the registry metadata, and the SKILL.md references an auth.py module that is not present in the file manifest, which is an inconsistency.
✓ 安装机制
There is no install spec (instruction-only install), which is low risk. The package does include a Python script (scripts/weaver-e10.py) that will be executed by the user/agent; nothing is downloaded from third-party URLs and no install-time arbitrary downloads are present.
⚠ 凭证需求
The code requires four service-specific environment variables (WEAVER_API_BASE, WEAVER_APP_KEY, WEAVER_APP_SECRET, WEAVER_CORPID) and reads a workspace .env file, but the registry metadata lists no required env vars or config paths. That omission is a mismatch and increases risk because users may not realize sensitive credentials are needed or exactly where they will be read from/written to (token cache in home).
✓ 持久化与权限
The skill is not configured as always:true and does not request system-wide privileges. It writes its own token cache (~/.weaver-e10/token.json) and reads the specified .env file; it does not modify other skills or global agent config. Autonomous invocation is allowed (platform default) but is not coupled with unusually broad privileges here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.12026/3/13
No changes detected in this version. - Version 0.1.1 released with no updates to documentation or code.
● 无害
安装命令
点击复制官方npx clawhub@latest install clawhub-skill-test-api
镜像加速npx clawhub@latest install clawhub-skill-test-api --registry https://cn.longxiaskill.com