← Back to Skills Marketplace
zhaowb82

NaviOffice Skill

by vincent66 · GitHub ↗ · v1.0.3 · MIT-0
cross-platform ⚠ suspicious
96
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install navi-office
Description
NaviOffice OA 办公系统 MCP 集成技能 - 覆盖系统管理、人力资源、考勤、财务、CRM、销售、采购、库存、项目、生产、计量检测 11 大模块,支持数据查询与业务操作。
Usage Guidance
This skill appears to be a genuine NaviOffice API client, but there are important red flags you should consider before installing or using it: - Secrets required: The SKILL.md and the included scripts require NAVI_OFFICE_API_TOKEN (and optionally NAVI_OFFICE_API_URL and NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN), but the registry metadata lists no required env vars. Treat this as a transparency/packaging mistake — assume you must provide an API token for the skill to work. - Broken domain validation: Both the JS and Python scripts have a bug that compares the parsed hostname to the full URL string 'https://oa.teredy.com/api'. As written, the scripts will reject the official domain and terminate unless NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true is set. That effectively forces users to enable "allow custom domain" to proceed, which is risky because it relaxes the whitelist and could allow the token to be sent to an arbitrary endpoint. - Before using the skill, do one or more of the following: - Inspect the scripts (navioffice.js / navioffice.py) yourself or ask the author to fix the domain-check bug so the allowed host is compared correctly (should compare hostname to 'oa.teredy.com' or compare the full URL string consistently). A safe fix: validate that the parsed hostname === 'oa.teredy.com' (or if you want to allow subdomains, check suffix). - If you must test, use a non-production API token with minimal privileges and run the tool in an isolated environment/network where you can monitor outbound requests. - Do not set NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true unless you fully trust the endpoint. If you do set it, ensure NAVI_OFFICE_API_URL points to a vetted, internal, or otherwise trusted host. - Ask the publisher to update registry metadata to declare NAVI_OFFICE_API_TOKEN as a required env var so the platform can surface the requirement. - Prefer the Python/Node shells only after verifying they send traffic to the intended hostname and not to unknown third parties. Given the missing metadata and the domain-validation bug (which has a direct security impact), treat this package as suspicious until the author corrects the issues or you perform an independent code/network audit.
Capability Tags
cryptocan-make-purchases
Capability Assessment
Purpose & Capability
The skill name/description (NaviOffice OA integration) aligns with the provided code and reference docs: the CLI scripts make authenticated HTTP calls to the described API and the references enumerate expected modules. However the registry metadata claims 'Required env vars: none' while the SKILL.md and the included scripts clearly require NAVI_OFFICE_API_TOKEN (and optionally NAVI_OFFICE_API_URL / NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN). This metadata omission is an inconsistency that reduces transparency.
Instruction Scope
SKILL.md and the scripts instruct the agent to read a .env file placed in the skill directory and to send requests to the configured API endpoint using X-Api-Token. That's reasonable for an API integration. However both the JS and Python scripts contain a broken domain validation check (they compare a hostname to the full URL string 'https://oa.teredy.com/api'), which will reject the official domain unless NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true is set. That behavior contradicts the SKILL.md security guidance and can push users to explicitly allow custom domains, increasing risk of sending tokens to arbitrary endpoints.
Install Mechanism
There is no install spec; the skill is instruction/code-only and does not download external archives or run an installer. That keeps install-time risk low. The skill does include three CLI scripts (shell, Python, Node) which will be executed by the agent or by the user if invoked.
Credentials
The runtime requires NAVI_OFFICE_API_TOKEN (and optionally NAVI_OFFICE_API_URL and NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN) to operate — appropriate for an API client. But the registry metadata does not declare any required env vars (discrepancy). Additionally, the broken domain validation forces users to set NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true (or otherwise circumvent validation), which is a disproportionate and dangerous action because it weakens the domain whitelist and can permit use of arbitrary endpoints that could receive the token.
Persistence & Privilege
The skill does not request 'always: true' or any elevated persistent platform privileges, nor does it modify other skills or system-wide configuration. It reads a .env from its own skill directory (documented).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install navi-office
  3. After installation, invoke the skill by name or use /navi-office
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
- 增加了环境变量 NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN,允许自定义 API 域名,默认仅支持官方地址 - 安全说明中明确:如需自定义域名,需显式设定 NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true - 环境变量与安全说明更加详细,官方与非官方 API 地址的风险提醒更加突出 - 其他功能和调用规范未做更改
v1.0.2
- Added a sample environment variable configuration file: .env.example - Updated documentation to reflect the default API URL as https://oa.teredy.com/api instead of https://api.navioffice.com
v1.0.1
navi-office 1.0.1 - 增加了“安装”说明及一键安装命令(clawdhub install navi-office) - 新增环境变量与安全说明,强调默认凭证读取路径和官方 API 地址警示 - 明确环境变量 `NAVI_OFFICE_API_URL` 为可选,并补充请求头写法 - 其余使用规则、工具加载机制等内容未变
v1.0.0
NaviOffice OA 办公系统技能首次发布,支持 11 个核心业务模块集成: - 覆盖系统管理、人力资源、考勤、财务、CRM、销售、采购、库存、项目、生产、计量检测全业务流程。 - 提供分模块工具,支持数据查询与业务操作。 - 引入渐进式工具加载策略,减少 token 消耗,按需加载相关模块工具。 - 支持 CLI 脚本调用与 JSON 参数传递,适用于多种开发环境。 - 明确调用规范,包括名称模糊查询、分页、日期格式、权限校验等,提升操作一致性与安全性。
Metadata
Slug navi-office
Version 1.0.3
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 4
Frequently Asked Questions

What is NaviOffice Skill?

NaviOffice OA 办公系统 MCP 集成技能 - 覆盖系统管理、人力资源、考勤、财务、CRM、销售、采购、库存、项目、生产、计量检测 11 大模块,支持数据查询与业务操作。 It is an AI Agent Skill for Claude Code / OpenClaw, with 96 downloads so far.

How do I install NaviOffice Skill?

Run "/install navi-office" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is NaviOffice Skill free?

Yes, NaviOffice Skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does NaviOffice Skill support?

NaviOffice Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created NaviOffice Skill?

It is built and maintained by vincent66 (@zhaowb82); the current version is v1.0.3.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments