← Back to Skills Marketplace
spzwin

Sfe Sxk Data Viewer

by spzwin · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
94
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install sfe-sxk-data-viewer
Description
SFE深西康专属数据查询工具,用于快速查询深西康专属采集项目报表的数据,如新活素查房日采集反馈V2等特定项目的明细报表或汇总报表
Usage Guidance
Key things to consider before installing or using this skill: - The Python scripts do require an appKey (XG_BIZ_API_KEY or XG_APP_KEY) even though the skill metadata doesn't declare it — don't provide that secret until you've reviewed/trusted the code and the remote API. Consider running the scripts locally first and inspect network calls. - The request library in the script explicitly disables TLS verification (verify=False). This reduces security of the appKey and data in transit; ask the maintainer to remove verify=False or ensure you run in a trusted network. - SKILL.md tells the agent to install a dependency (cms-auth-skills) via npx or from a GitHub URL if missing. That means the agent may execute network installs of third-party code; review the cms-auth-skills project source before allowing any auto-install. - If you plan to grant the appKey, prefer running the provided scripts yourself in a controlled environment and inspect them for any exfiltration or unexpected endpoints. If you must use the skill hosted in an agent, only proceed if you trust the owner and the cms-auth-skills package, and consider rotating the appKey afterward. - If you have low tolerance for supply-chain risk, decline or request the author to (a) declare required env vars in metadata, (b) remove insecure TLS settings, and (c) vendor/declare the cms-auth-skills dependency explicitly rather than instructing runtime npx installs.
Capability Analysis
Type: OpenClaw Skill Name: sfe-sxk-data-viewer Version: 1.0.0 The skill bundle contains a security vulnerability and a potential supply chain risk. The script `scripts/sfe-sxk/xhs-ward-rounds-report-v2.py` explicitly disables SSL certificate verification (`verify=False`), which makes the connection to `erp-web.mediportal.com.cn` vulnerable to Man-in-the-Middle (MITM) attacks. Additionally, `SKILL.md` instructs the AI agent to execute `npx clawhub` to install a dependency from a specific external GitHub repository (`spzwin/cms-auth-skills.git`) if it is missing, which is a high-risk pattern for supply chain injection. While these appear to be operational choices rather than intentional malware, they exceed the threshold for benign classification.
Capability Assessment
Purpose & Capability
The skill's name/description (SFE 深西康 data queries) matches the included API docs and Python scripts that call the stated ERP endpoint. However the package metadata claims no required environment variables while the scripts and documentation clearly require an application key (XG_BIZ_API_KEY or XG_APP_KEY). Also the SKILL.md declares a dependency on cms-auth-skills but that dependency is not bundled — the skill instructs the agent to install it at runtime. These are proportional to the purpose but are inconsistently declared.
Instruction Scope
SKILL.md enforces a workflow that will (a) read cms-auth-skills/SKILL.md for auth rules and, if missing, (b) run npx clawhub@latest install cms-auth-skills --force or fallback to installing a GitHub repo. That instructs the agent to perform network installs of third-party code. The runtime scripts call the external ERP API and require an appKey. The SKILL.md also requires all API calls go through the provided scripts (reasonable), but it grants the agent discretion to install external packages — this is scope creep and a potential supply-chain risk.
Install Mechanism
There is no formal install spec in the skill metadata (lowest-risk), but SKILL.md instructs the agent to run npx to install cms-auth-skills or fall back to a GitHub URL. That is effectively an install mechanism triggered at runtime and would pull code from the network (npm / GitHub). Pulling and executing external code via npx from an unknown source increases risk and is not declared in the registry metadata.
Credentials
The skill metadata lists no required env vars, but scripts/docs require an appKey via XG_BIZ_API_KEY or XG_APP_KEY — a clear mismatch. Requesting that appKey is proportionate to the stated ERP API purpose, but the omission from metadata is an inconsistency. No other unrelated credentials are requested. Note: the script disables TLS verification (requests.verify=False), which raises the risk that the appKey or returned data could be exposed to a man-in-the-middle attacker.
Persistence & Privilege
The skill does not request always: true and does not declare persistent system-wide privileges. It does not itself modify other skills or claim to change agent-wide settings. The main persistence/privilege risk comes from the SKILL.md instruction to run npx install commands (which would write and execute code), but the skill metadata does not request elevated privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install sfe-sxk-data-viewer
  3. After installation, invoke the skill by name or use /sfe-sxk-data-viewer
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of SFE深西康数据查询 (sfe-sxk-data-viewer) skill. - 提供深西康专属采集项目(如新活素查房日采集反馈V2)明细及汇总报表查询能力 - 所有接口均需通过 Python 脚本调用,结果统一经 TOON 编码输出 - 依赖 cms-auth-skills 组件,实现标准化鉴权流程 - 严格分离模块,先文档后脚本,强制按需加载,保障数据安全与生产环境规范 - 提供标准化能力树、意图路由与实用示例模板
Metadata
Slug sfe-sxk-data-viewer
Version 1.0.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Sfe Sxk Data Viewer?

SFE深西康专属数据查询工具,用于快速查询深西康专属采集项目报表的数据,如新活素查房日采集反馈V2等特定项目的明细报表或汇总报表. It is an AI Agent Skill for Claude Code / OpenClaw, with 94 downloads so far.

How do I install Sfe Sxk Data Viewer?

Run "/install sfe-sxk-data-viewer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Sfe Sxk Data Viewer free?

Yes, Sfe Sxk Data Viewer is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Sfe Sxk Data Viewer support?

Sfe Sxk Data Viewer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Sfe Sxk Data Viewer?

It is built and maintained by spzwin (@spzwin); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments