← Back to Skills Marketplace
Cmb Salary Import
by
loverun321
· GitHub ↗
· v1.2.0
· MIT-0
115
Downloads
1
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install cmb-salary-import
Description
招商银行工资批量导入工具。当用户提到"招行工资导入"、"工资表导入银行模板"、"AgencyPayment"、"批量代发"、"工资文件导入银行"时触发。功能:将工资表(工资.xlsx)中的税后实发金额、姓名、银行卡号、开户行等信息,不改格式地填入银行代发模板(AgencyPayment.xlsx)。支持:读取任意...
Usage Guidance
This skill likely does what it claims, but several red flags mean you should not run it on production payroll or sensitive machines without checks. Key points: (1) SKILL.md and handler.py include a hardcoded SkillPay API key and default billing endpoint — this means payments/requests could be routed to an external account you don't control; consider removing the embedded key and supplying your own SKILLPAY_API_KEY via environment variables if you intend to use billing. (2) The scripts rely on minimax-xlsx xlsx_unpack.py/xlsx_pack.py via an absolute, user-specific path that won't exist on most systems — inspect or provide these helper scripts from a trusted source before running. (3) There is no install spec for Python deps (openpyxl, lxml); install these in a sandbox first. (4) Because the code calls subprocess on external scripts and makes outbound HTTP requests, run it in an isolated environment with sample (non-sensitive) data, review the network endpoint (https://skillpay.me) and the owner of the embedded API key, and replace or remove payment integration if you don't want external billing. If you need help making the skill installable and safe (adding dependency declarations, removing embedded keys, or using a local pack/unpack implementation), ask the author for an updated package or request source provenance before use.
Capability Analysis
Type: OpenClaw Skill
Name: cmb-salary-import
Version: 1.2.0
The skill contains hardcoded local file paths to external scripts (/mnt/c/Users/70426/.openclaw/skills/minimax-xlsx/scripts/xlsx_unpack.py) in import_salary.py, which creates a dependency on unverified external code and indicates a significant configuration flaw. Additionally, it hardcodes a sensitive API key (sk_93c5...) in both SKILL.md and handler.py. While the code implements a 'pay-per-use' billing logic via SkillPay (https://skillpay.me) to process sensitive salary data, the combination of hardcoded credentials and reliance on external local scripts poses a high security risk.
Capability Assessment
Purpose & Capability
The code implements salary→AgencyPayment import as described (uses openpyxl and direct XLSX XML edits). However the skill also integrates a third‑party billing flow (SkillPay) with a hardcoded API key present in both SKILL.md and handler.py — billing is plausible for a paid skill but the key/credential handling is inconsistent with the registry metadata (which lists no required env vars) and is surprising for an install-less instruction-only package.
Instruction Scope
SKILL.md exposes an API key and SKILL_ID. The runtime code performs network calls to SkillPay and spawns subprocesses that call pack/unpack helper scripts at an absolute path (/mnt/c/Users/70426/.openclaw/skills/minimax-xlsx/...). The skill will read arbitrary files given by the user (salary/template) and writes to /tmp and output paths — acceptable for the task, but the absolute helper-script paths and embedded billing key extend scope beyond a simple local conversion tool.
Install Mechanism
There is no install spec. The scripts require Python packages (openpyxl, lxml) and external minimax-xlsx helper scripts (xlsx_unpack.py/xlsx_pack.py) but those aren't provided or declared as dependencies. The code calls those helpers via hardcoded absolute paths, which is fragile and potentially dangerous if an attacker can supply/replace those scripts on the host.
Credentials
Registry metadata declares no required env vars, but handler.py reads/uses SKILLPAY_API_KEY, SKILLPAY_API_URL, and SKILLPAY_SKILL_ID (with defaults). A full API key is committed into SKILL.md and as a default in code — this is disproportionate and risky because it causes billing/network behavior without an explicit credential requirement or user-provided key.
Persistence & Privilege
always:false and the skill does not request persistent presence or modify other skills. It writes temporary files under /tmp and outputs an XLSX file — behaviour is consistent with a conversion/import tool and does not escalate agent privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install cmb-salary-import - After installation, invoke the skill by name or use
/cmb-salary-import - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
接入SkillPay完整计费:SKILL_ID已配置,charge接口对接完成
v1.1.0
更新
v1.0.1
更新:添加收款信息
v1.0.0
首次发布
Metadata
Frequently Asked Questions
What is Cmb Salary Import?
招商银行工资批量导入工具。当用户提到"招行工资导入"、"工资表导入银行模板"、"AgencyPayment"、"批量代发"、"工资文件导入银行"时触发。功能:将工资表(工资.xlsx)中的税后实发金额、姓名、银行卡号、开户行等信息,不改格式地填入银行代发模板(AgencyPayment.xlsx)。支持:读取任意... It is an AI Agent Skill for Claude Code / OpenClaw, with 115 downloads so far.
How do I install Cmb Salary Import?
Run "/install cmb-salary-import" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Cmb Salary Import free?
Yes, Cmb Salary Import is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Cmb Salary Import support?
Cmb Salary Import is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Cmb Salary Import?
It is built and maintained by loverun321 (@loverun321); the current version is v1.2.0.
More Skills