← 返回 Skills 市场
spzwin

Cms Auth Skills

作者 spzwin · GitHub ↗ · v2.3.6 · MIT-0
cross-platform ✓ 安全检测通过
339
总下载
0
收藏
1
当前安装
14
版本数
在 OpenClaw 中安装
/install cms-auth-skills
功能描述
CMS 基础鉴权 Skill。任何业务接口 Header 需要 appKey 或 access-token 时都必须先触发本 Skill。支持从上下文、环境变量、sender_id+account_id、appKey换token,并在失败时向用户索要 appKey(工作协同 key / cowork key)。
使用说明 (SKILL.md)

cms-auth-skills

版本: v2.3.4

定位

  • 本 Skill 只负责鉴权值解析,输出 appKeyaccess-token
  • 术语统一:appKey = 工作协同 key = cowork key
  • 任何业务接口需要鉴权 Header,都必须先触发本 Skill

AI 执行总规则

  1. 先判断目标接口需要 appKey 还是 access-token
  2. 再按固定优先级解析,不要跳步骤
  3. 解析失败时,只向用户索要 appKey
  4. appKey 解析与 access-token 解析是两个独立步骤:只需要 appKey 时,不要主动换 access-token
  5. 统一通过 scripts/auth/login.py 执行,不需要读取或分析 scripts/auth/*.py 源码

支持能力(5 条)

  1. 支持从上下文/显式参数直接获取 appKeyaccess-token
  2. 支持从环境变量获取(并做判空):XG_BIZ_API_KEYXG_USER_TOKEN
  3. 支持通过 appKey 获取 access-token
  4. 支持通过 sender_id + account_id 获取 appKey
  5. 支持在自动解析失败时向用户索要 appKey

解析优先级(必须按顺序)

目标是 appKey

  1. 上下文/显式 appKey
  2. 环境变量 XG_BIZ_API_KEY
  3. sender_id + account_id
  4. 向用户索要 appKey

目标是 access-token

  1. 上下文/显式 access-token
  2. 上下文/显式 appKey -> 换 access-token
  3. 环境变量 XG_USER_TOKEN
  4. 环境变量 XG_BIZ_API_KEY -> 换 access-token
  5. sender_id + account_id -> appKey -> access-token
  6. 向用户索要 appKey

上下文字段兼容

  • appKeyappKey / app_key / appkey
  • access-tokenaccess-token / access_token / token
  • sender_idsender_id / senderId / send_id / sendId
  • account_idaccount_id / accountId

CLI

推荐参数:

  • --app-key
  • --access-token
  • --sender-id
  • --account-id
  • --resolve-app-key
  • --ensure
  • --update

兼容旧调用:

  • --context-json

常用示例

# 直接返回 token
python3 login.py --ensure --access-token "your-token"

# 用 appKey 换 token
python3 login.py --ensure --app-key "your-app-key"

# 只解析 appKey
python3 login.py --resolve-app-key --sender-id "user-001" --account-id "xgjk_prod"

# 兼容旧调用
python3 login.py --ensure --context-json '{"appKey":"your-app-key"}'
安全使用建议
This skill appears to do what it says: it looks for appKey or token in context/env, exchanges appKey for a token via provider APIs, and caches results. Before installing, confirm you trust the remote endpoints (sg-cwork-web.mediportal.com.cn, sg-al-cwork-web.mediportal.com.cn, skills.mediportal.com.cn) and the repository owner. Note the skill will: 1) attempt network calls to those hosts; 2) require the Python 'requests' package (not declared); 3) persist appKey/token in a workspace .cms-log/state directory (auth.json) and may migrate legacy auth directories — these files can contain sensitive tokens. If you proceed, consider inspecting the bundled code yourself, restrict workspace access, and avoid putting high-privilege credentials into environment variables unless you trust the skill and endpoints. If you don't trust the remote hosts or the embedded APPKEY_REQUEST_KEY, do not install.
功能分析
Type: OpenClaw Skill Name: cms-auth-skills Version: 2.3.6 The bundle is a specialized authentication utility for the MediPortal CMS platform, designed to resolve and cache 'appKey' and 'access-token' values. It communicates with legitimate corporate endpoints (mediportal.com.cn) to exchange user identifiers for session tokens, which is consistent with its stated purpose in SKILL.md. While it contains minor security weaknesses such as disabled SSL verification (verify=False) and a hardcoded internal request key in login.py, it also includes positive security features like automated log sanitization to prevent secret leakage in auth_support.py.
能力评估
Purpose & Capability
Name/description state the skill will resolve appKey/access-token. The Python code implements exactly that: reading env vars XG_BIZ_API_KEY and XG_USER_TOKEN, exchanging appKey for tokens via TOKEN_AUTH_URL, resolving appKey via APPKEY_API_URL, and caching results. Hard-coded API endpoints and request key are consistent with the described CMS integration.
Instruction Scope
SKILL.md instructs callers to run scripts/auth/login.py and follow the documented priority rules. The runtime behavior aligns: the code reads context/explicit args, environment variables, calls remote auth endpoints, and falls back to asking user for appKey. It also reads/writes local cache/log files and migrates legacy runtime directories — these filesystem actions are outside pure in-memory parsing and should be expected and reviewed.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded or installed automatically. However, bundled Python scripts require the third-party 'requests' library (not declared in registry metadata). No automatic code-download/update is performed (self_update only checks a remote version endpoint and signals when an update is available).
Credentials
Registry metadata lists no required env vars, but both SKILL.md and code use XG_BIZ_API_KEY and XG_USER_TOKEN (as optional credential sources). That is proportionate to the skill's purpose. The code will read these variables and will store resolved tokens/appKeys in a local auth cache.
Persistence & Privilege
The skill writes logs and an auth.json cache under a runtime root directory (e.g., .cms-log in the workspace), and may migrate legacy runtime directories. It caches appKey/token values by sender_id on disk. Persisted credentials are sensitive; this persistent storage and directory-migration behavior increases blast radius if the workspace is shared or untrusted.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install cms-auth-skills
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /cms-auth-skills 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.3.6
从内部平台同步更新,基于版本 2.3.2 升级到 2.3.6
v2.3.5
- Added _meta.json file for enhanced metadata management. - No other functionality or documentation changes in this version.
v2.3.4
CMS 基础鉴权 Skill 更新到版本 2.3.4,同步内部平台更新
v2.3.3
Version 2.3.3 - Added _meta.json file for skill metadata management. - No changes to core logic or documentation.
v2.3.2
**cms-auth-skills v2.3.2** - 新增脚本:auth_support.py、self_update.py 及 version.json,提升扩展性和自动化能力。 - 移除文档文件 scripts/auth/API.md,精简项目结构。 - SKILL.md 完全重写:结构更简洁,描述更聚焦“鉴权值解析、appKey/work key/token”,细化能力说明与解析优先级。 - 明确新增对 CLI 新参数(--app-key, --access-token, --sender-id, --account-id 等)的推荐和兼容。 - 路径/接口说明与上下文字段兼容性约定更加直观易查。
v2.3.1
Sync internal platform update
v1.3.0
sync from internal platform release 1.3 (skillCode: cms-auth-skills)
v2.3.0
**cms-auth-skills v2.1.1** - 更新 SKILL.md 至 v2.3,说明更明确,增加“所有 header 鉴权值必须通过本 Skill 获取”强约束,优先级提高为 1。 - 新增 send_id/sender_id 相关鉴权、缓存与环境变量读取逻辑说明。 - 明确环境变量读取场景、缓存启用条件及取值策略。 - 不涉及功能脚本更新,仅文档和优先级规范性调整。 - 新增 `.pyc` 缓存文件(无业务逻辑变化)。
v2.1.0
## cms-auth-skills v2.1.0 - 新增缓存机制:appKey/token 可根据 send_id 缓存到 `cms-auth/auth.json`,同一 send_id 优先走缓存,减少重复网络请求。 - 引入 `--update` 命令行参数,允许控制是否跳过缓存强制重新获取鉴权信息。 - sessionKey 说明已移除,相关机制统一由 send_id 控制缓存行为。 - 其余逻辑未变,接口调用与上下层职责保持一致。
v2.0.0
sync internal platform update 2026-04-01
v1.0.3
更新到 v2.0,优化鉴权流程,增加缓存机制
v1.0.2
Major update: centralized all auth and conventions docs into SKILL.md, introduced cache and logging mechanisms. - 移除了 `common/auth.md`, `common/conventions.md`, `openapi/auth/appkey.md`, `openapi/auth/login.md`,所有规范与接口文档现全部内嵌于 SKILL.md - 新增缓存机制,`appKey`/`access-token` 支持写入和读取 `cms-auth/auth.json`,支持按 `session_id` 细粒度管理 - 新增 API 调用日志目录 `cms-auth/logs/`,日志包含脱敏处理,最长保存 30 天 - 细化了 context 传参规范、鉴权判断流程及脚本调用方式,所有规则、调用样例、执行顺序与边界集中在 SKILL.md - 明确零依赖(仅标准库)、stdout/err 分离和安全性(文件权限、日志脱敏)约束 - 详实列出兼容的目录结构及能力树
v1.0.1
- Version bump to 1.0.1 with no file changes. - No functional updates or documentation changes in this release.
v1.0.0
Initial release providing core authentication capability for CMS skills. - Provides unified login and authorization logic for all upper-level skills. - Outputs only two results: appKey or access-token. - Ensures that business interfaces use standardized, dependency-based authentication (no code duplication). - Zero external dependencies; only standard Python library used. - Follows strict execution and context preparation rules as outlined in `common/conventions.md` and `common/auth.md`. - Robustness: includes retry and in-memory token management, with no local token storage.
元数据
Slug cms-auth-skills
版本 2.3.6
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 14
常见问题

Cms Auth Skills 是什么?

CMS 基础鉴权 Skill。任何业务接口 Header 需要 appKey 或 access-token 时都必须先触发本 Skill。支持从上下文、环境变量、sender_id+account_id、appKey换token,并在失败时向用户索要 appKey(工作协同 key / cowork key)。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 339 次。

如何安装 Cms Auth Skills?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install cms-auth-skills」即可一键安装,无需额外配置。

Cms Auth Skills 是免费的吗?

是的,Cms Auth Skills 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Cms Auth Skills 支持哪些平台?

Cms Auth Skills 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Cms Auth Skills?

由 spzwin(@spzwin)开发并维护,当前版本 v2.3.6。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论