← Back to Skills Marketplace

蜀宁 OA 工时管理

Name: 蜀宁 OA 工时管理
Author: ithou

by ithou · GitHub ↗ · v1.4.3 · MIT-0

cross-platform ⚠ suspicious

184

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install sn-work-record

Description

蜀宁 OA 工时管理，支持提交、修改、查询工时等功能。

Usage Guidance

This skill's functionality (login, list, submit, query, update) is coherent with its code, but there are some things to check before installing: - Confirm the missing declarations: SKILL.md and code require openssl and an OA_ENC_KEY (or a cached key file), yet the registry metadata listed no required binaries or env vars. Ask the author or maintainer to correct the registry metadata if you need explicit declarations for review/audit. - Protect credentials: the skill reads a credentials file (~/.openclaw/workspace/memory/sn-work-record-credentials.md) which may be plain or .enc. If you use encryption, ensure OA_ENC_KEY is provided securely and file permissions restrict access (chmod 600). Prefer using .enc and providing the key only in a secure way. - Evaluate the OCR handling: the captcha solver strips non-digit/operator characters then eval()s the expression. This is fragile — if the OCR output is malicious or the OA endpoint is compromised to return crafted captcha strings, eval could run unexpected code. If you will run this in a sensitive environment, review/modify the code to compute arithmetic safely (e.g., parse the expression into numbers/operators rather than eval). - Check openssl availability: the code calls openssl via subprocess to decrypt files; ensure openssl on your system is the expected binary (absolute path if you want extra safety) and that using subprocess is acceptable in your environment. - Network scope: the scripts will send credentials and tokens to the OA base URL you supply — confirm the base URL points to your internal OA server and not an untrusted external host. - Run in isolation first: test in an isolated account/container with test OA credentials before using with real accounts. If you are uncomfortable with any of the above or with the metadata mismatch, treat the skill as untrusted until the author clarifies and/or you harden the deployment (restrict files, review/patch eval usage, set explicit bin paths).

Capability Analysis

Type: OpenClaw Skill Name: sn-work-record Version: 1.4.3 The skill automates work record management for a specific OA system but contains high-risk code patterns. Specifically, `oa_utils.py` uses `eval()` to solve arithmetic captchas after a regex filter, which is a classic RCE vulnerability pattern. Additionally, `runtime_bootstrap.py` implements a complex mechanism to automatically locate and execute alternative Python interpreters from various virtual environment paths (e.g., `~/.openclaw/workspace/ddddocr_env/bin/python`), which is an unusually powerful execution capability for a skill bundle. While these features appear intended for functionality and dependency management, they represent a significant attack surface.

Capability Tags

requires-oauth-token

Capability Assessment

ℹ Purpose & Capability

The name/description (蜀宁 OA 工时管理) matches the supplied scripts: login, list projects, submit/query/update time entries. However the registry metadata provided earlier lists no required binaries or env vars, while the SKILL.md and code explicitly require openssl (used to decrypt .enc credentials) and an OA_ENC_KEY. This mismatch is an incoherence in the declared requirements.

ℹ Instruction Scope

Runtime instructions and scripts stick to OA tasks (login, captcha solve, session creation, POST/PUT/GET calls to /sn/* endpoints). They read a credentials file (plaintext or .enc), decrypt with openssl if needed, and send tokens to the OA base URL. Two items to note: (1) captcha recognition pipeline uses OCR output that is sanitized then passed to eval() to compute arithmetic results — this relies on sanitization and is a potential code-injection risk if OCR or input is tampered; (2) scripts call external network endpoints (the user's OA system) and will transmit username/password and tokens as part of normal operation, which is expected for this skill but worth being explicit about.

ℹ Install Mechanism

No install spec (instruction-only) — the skill ships Python scripts that run in-place and perform runtime bootstrap (re-exec into a Python interpreter with required modules). This is lower risk than arbitrary remote installers, but the runtime_bootstrap will execve other Python binaries on disk and the scripts call subprocess.run for openssl; those behaviors are expected for the shipped code but give the skill the ability to execute local binaries.

⚠ Credentials

The skill requires access to OA credentials (username/password/base URL/default project) and supports encrypted credential files decrypted with OA_ENC_KEY or a file at ~/.openclaw/workspace/.cache/oa_enc_key. Those secrets are appropriate for an OA integration, but the registry metadata omitted declaring OA_ENC_KEY and required openssl — this discrepancy is concerning (either packaging omitted required secret declarations, or the skill silently depends on secrets/binaries not recorded). Requiring environment-held decryption keys and reading credential files is sensitive and should be explicitly declared.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills, and does not persist beyond its own files. It does re-exec into available Python interpreters (runtime_bootstrap) but that behavior is local to the process and documented in SKILL.md.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install sn-work-record
After installation, invoke the skill by name or use /sn-work-record
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.4.3

Add privacy guidance: do not expose project/time-entry IDs in normal chat responses unless explicitly needed

v1.4.2

Hide project-specific IDs/names from docs and add state 30 mapping as 已审批

v1.9.0

Rename local env recommendation to sn_work_record_env; refresh runtime/skill docs; publish updated launcher and interpreter selection guidance

v1.4.1

新增统一 launcher 与运行时解释器自检/自动切换；补齐环境说明与工作流文档，移除对固定虚拟环境命名的硬编码依赖。

v1.8.0

本次更新：解决了一些已知问题。

v1.7.0

修复描述格式，使用 YAML 多行字符串保留完整描述

v1.6.0

本次更新：\n• 解决了一些已知问题。

v1.5.0

修复安全扫描问题：声明 OA_ENC_KEY 环境变量、openssl 二进制依赖、作者信息(chengcheng)

v1.4.0

重构为必须使用 chinese_calendar 库判断工作日，移除降级逻辑；函数从 is_holiday 改为 is_workday；自动处理调休补班情况

v1.3.0

使用 chinese_calendar 库自动判断节假日（支持 2004-2026 年），未安装时降级到硬编码 2026-2027 年

v1.2.0

新增节假日检查函数 is_holiday，提交前自动校验；api.md 增加节假日限制说明

v1.1.2

更新描述

v1.1.1

精简 skill 描述

v1.1.0

重构：抽取公共模块 oa_utils.py，统一凭证解析和验证码识别；支持加密凭证(.enc)；fillDate 纯日期格式；修复 code 比较兼容性

v1.0.2

加密存储：凭证使用 AES-256-CBC 加密，passphrase 仅存内存不落盘

v1.0.1

安全更新：声明凭据要求，增加安全建议

v1.0.0

首次发布：查询、撤回、修改工时描述

Metadata

Slug sn-work-record

Version 1.4.3

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 17

Frequently Asked Questions

What is 蜀宁 OA 工时管理?

蜀宁 OA 工时管理，支持提交、修改、查询工时等功能。 It is an AI Agent Skill for Claude Code / OpenClaw, with 184 downloads so far.

How do I install 蜀宁 OA 工时管理?

Run "/install sn-work-record" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 蜀宁 OA 工时管理 free?

Yes, 蜀宁 OA 工时管理 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does 蜀宁 OA 工时管理 support?

蜀宁 OA 工时管理 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 蜀宁 OA 工时管理?

It is built and maintained by ithou (@ithou); the current version is v1.4.3.

More Skills