← 返回 Skills 市场
Cmb Salary Import
作者
loverun321
· GitHub ↗
· v1.2.0
· MIT-0
115
总下载
1
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install cmb-salary-import
功能描述
招商银行工资批量导入工具。当用户提到"招行工资导入"、"工资表导入银行模板"、"AgencyPayment"、"批量代发"、"工资文件导入银行"时触发。功能:将工资表(工资.xlsx)中的税后实发金额、姓名、银行卡号、开户行等信息,不改格式地填入银行代发模板(AgencyPayment.xlsx)。支持:读取任意...
安全使用建议
This skill likely does what it claims, but several red flags mean you should not run it on production payroll or sensitive machines without checks. Key points: (1) SKILL.md and handler.py include a hardcoded SkillPay API key and default billing endpoint — this means payments/requests could be routed to an external account you don't control; consider removing the embedded key and supplying your own SKILLPAY_API_KEY via environment variables if you intend to use billing. (2) The scripts rely on minimax-xlsx xlsx_unpack.py/xlsx_pack.py via an absolute, user-specific path that won't exist on most systems — inspect or provide these helper scripts from a trusted source before running. (3) There is no install spec for Python deps (openpyxl, lxml); install these in a sandbox first. (4) Because the code calls subprocess on external scripts and makes outbound HTTP requests, run it in an isolated environment with sample (non-sensitive) data, review the network endpoint (https://skillpay.me) and the owner of the embedded API key, and replace or remove payment integration if you don't want external billing. If you need help making the skill installable and safe (adding dependency declarations, removing embedded keys, or using a local pack/unpack implementation), ask the author for an updated package or request source provenance before use.
功能分析
Type: OpenClaw Skill
Name: cmb-salary-import
Version: 1.2.0
The skill contains hardcoded local file paths to external scripts (/mnt/c/Users/70426/.openclaw/skills/minimax-xlsx/scripts/xlsx_unpack.py) in import_salary.py, which creates a dependency on unverified external code and indicates a significant configuration flaw. Additionally, it hardcodes a sensitive API key (sk_93c5...) in both SKILL.md and handler.py. While the code implements a 'pay-per-use' billing logic via SkillPay (https://skillpay.me) to process sensitive salary data, the combination of hardcoded credentials and reliance on external local scripts poses a high security risk.
能力评估
Purpose & Capability
The code implements salary→AgencyPayment import as described (uses openpyxl and direct XLSX XML edits). However the skill also integrates a third‑party billing flow (SkillPay) with a hardcoded API key present in both SKILL.md and handler.py — billing is plausible for a paid skill but the key/credential handling is inconsistent with the registry metadata (which lists no required env vars) and is surprising for an install-less instruction-only package.
Instruction Scope
SKILL.md exposes an API key and SKILL_ID. The runtime code performs network calls to SkillPay and spawns subprocesses that call pack/unpack helper scripts at an absolute path (/mnt/c/Users/70426/.openclaw/skills/minimax-xlsx/...). The skill will read arbitrary files given by the user (salary/template) and writes to /tmp and output paths — acceptable for the task, but the absolute helper-script paths and embedded billing key extend scope beyond a simple local conversion tool.
Install Mechanism
There is no install spec. The scripts require Python packages (openpyxl, lxml) and external minimax-xlsx helper scripts (xlsx_unpack.py/xlsx_pack.py) but those aren't provided or declared as dependencies. The code calls those helpers via hardcoded absolute paths, which is fragile and potentially dangerous if an attacker can supply/replace those scripts on the host.
Credentials
Registry metadata declares no required env vars, but handler.py reads/uses SKILLPAY_API_KEY, SKILLPAY_API_URL, and SKILLPAY_SKILL_ID (with defaults). A full API key is committed into SKILL.md and as a default in code — this is disproportionate and risky because it causes billing/network behavior without an explicit credential requirement or user-provided key.
Persistence & Privilege
always:false and the skill does not request persistent presence or modify other skills. It writes temporary files under /tmp and outputs an XLSX file — behaviour is consistent with a conversion/import tool and does not escalate agent privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install cmb-salary-import - 安装完成后,直接呼叫该 Skill 的名称或使用
/cmb-salary-import触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.2.0
接入SkillPay完整计费:SKILL_ID已配置,charge接口对接完成
v1.1.0
更新
v1.0.1
更新:添加收款信息
v1.0.0
首次发布
元数据
常见问题
Cmb Salary Import 是什么?
招商银行工资批量导入工具。当用户提到"招行工资导入"、"工资表导入银行模板"、"AgencyPayment"、"批量代发"、"工资文件导入银行"时触发。功能:将工资表(工资.xlsx)中的税后实发金额、姓名、银行卡号、开户行等信息,不改格式地填入银行代发模板(AgencyPayment.xlsx)。支持:读取任意... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 115 次。
如何安装 Cmb Salary Import?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install cmb-salary-import」即可一键安装,无需额外配置。
Cmb Salary Import 是免费的吗?
是的,Cmb Salary Import 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Cmb Salary Import 支持哪些平台?
Cmb Salary Import 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Cmb Salary Import?
由 loverun321(@loverun321)开发并维护,当前版本 v1.2.0。
推荐 Skills