← 返回 Skills 市场
165
总下载
0
收藏
1
当前安装
4
版本数
在 OpenClaw 中安装
/install cms-cwork-skils
功能描述
CWork 工作协同原子能力集,覆盖员工搜索、文件上传下载、发送/回复汇报、收发件箱、汇报详情、任务、待办、事项、插件聚合、新消息、已读状态与 AI 问答;适用于“汇报、待办、任务、附件、消息、已读、员工查询”等场景;仅支持 appKey 鉴权并按需加载接口执行组合调用。
使用说明 (SKILL.md)
cms-cwork-skils — 索引
本技能包基于 XGJK v1.05 协议构建,围绕《工作协同业务说明.md》《工作协同API说明.md》《基础服务业务说明.md》《基础服务-API说明.md》整理当前已覆盖的 CWork 常用协同能力,通过"一接口一脚本"的模式提供自动化办公支持。
当前版本: v1.3
接口版本: 所有业务接口统一使用 /open-api/* 前缀,自带 appKey 鉴权。
触发场景(用于 AI 路由)
- 高频意图: 发汇报、回汇报、查收件箱/发件箱、查汇报详情、查待办、完成待办、建任务、查事项、查新消息、标记已读、上传附件、查员工。
- 关键词:
工作协同汇报回复待办任务附件消息已读员工搜索组织架构AI问答。 - 路由边界: 仅处理 CWork 协同与基础服务接口;不做登录换 token,鉴权统一依赖
cms-auth-skills提供appKey。
能力概览
- user-search: 按姓名模糊搜索内部员工
- employee-service: 批量员工信息与组织架构信息查询
- file-service: 文件上传与下载信息查询
- report-write: 发送汇报与回复汇报
- inbox: 获取收件箱汇报列表
- outbox: 获取发件箱汇报列表
- report-detail: 获取单篇汇报的结构化详情
- tasks: 工作任务分页与任务简易信息查询
- todos: 待办事项管理(列表、创建的反馈、完成状态切换)
- templates: 最近处理事项清单与事项批量详情
- plugin-report: 插件场景的待办/未读聚合查询
- report-query: 汇报待办、汇报未读与已读判断
- report-message: 我的新消息与阅读汇报状态变更
- ai-qa: 汇报内容 AI SSE 问答
- plan-create: 创建高级工作任务
当前覆盖范围说明:
- 已覆盖《工作协同API说明.md》中的 24 个接口点,以及《基础服务-API说明.md》中的 5 个接口点
- 已覆盖员工搜索、批量员工信息、组织架构、文件上传、文件下载信息、发送汇报、汇报回复、收件箱/发件箱、汇报详情、任务分页、任务简易信息、通用待办、创建的反馈待办、事项列表、事项批量详情、插件聚合列表、汇报待办/未读列表、已读判断、新消息、阅读汇报、汇报 AI 问答、高级任务创建
统一规范:
- 认证与鉴权:统一由
cms-auth-skills提供,详见cms-auth-skills/SKILL.md
鉴权模式声明(重要)
xgjk-cwork 所有业务接口仅支持
appKey鉴权模式,不支持access-token。
- 对应
cms-auth-skills的login.py,xgjk-cwork 场景只允许使用--resolve-app-key参数(返回appKey)- 禁止使用
--ensure(会返回 access-token,xgjk-cwork 接口无法识别)- 正确用法:
python3 login.py --resolve-app-key→ 返回可直接用于appKeyHeader 的值
鉴权宪章(铁律)
- 禁止问用户任何关于 token / 鉴权 / 登录的问题 — 鉴权统一依赖
cms-auth-skills - 所有鉴权操作必须且只能通过
cms-auth-skills/scripts/auth/login.py --resolve-app-key执行,严禁在脚本中直接调用底层 HTTP 鉴权接口 - 对外克制:对用户只输出结论或摘要,不暴露鉴权细节与内部字段
授权依赖
- 当需要
appKey时,优先直接读取cms-auth-skills/SKILL.md - 如果能读取到,直接按
cms-auth-skills/SKILL.md中的鉴权规则,使用login.py --resolve-app-key准备appKey - 如果读取不到(说明未安装),再执行
npx clawhub@latest install cms-auth-skills --force - 如果上面的安装方式不可用,再尝试执行
npx clawhub@latest install https://github.com/spzwin/cms-auth-skills.git --force - 安装完成后,再继续后续操作
脚本使用规则
- Python 强制性: 所有脚本必须使用 Python 编写。
- 独立执行: 脚本通过环境变量
XG_BIZ_API_KEY/XG_APP_KEY运行;若本地尚未准备appKey,需先按cms-auth-skills规则解析后再执行。 - 1:1 映射: 每个接口文档 (
openapi/) 必须对应一个 Python 脚本 (scripts/)。 - 可探测性: 所有脚本必须支持在未设置
appKey时执行-h/--help,便于 AI 先探测参数再组合调用。 - 参数策略: 组合调用时优先使用显式参数名(如
--report-id、--employee-id、--corp-id),仅在兼容场景下使用位置参数。
AI 组合调用约束(推荐)
- 执行顺序: 先读取
openapi/\x3Cmodule>/api-index.md确认接口,再读取对应scripts/\x3Cmodule>/README.md确认参数,最后执行脚本。 - 写操作确认: 涉及数据变更的接口(如
report-write/*、todos/complete.py、report-message/read-report.py、plan-create/create-simple.py)必须先做明确确认再调用。 - 大结果控制: 对高体量接口优先使用
--client-limit和--output-file,默认建议只处理前200条,最大不超过500条。 - 分页认知:
reportInfoOpenQuery/unreadList实测可能忽略传入pageSize,不要把脚本裁剪结果误判为平台真实分页结果。 - 输出契约: 所有脚本都返回 JSON;优先按
resultCode / resultMsg / data读取,必要时再解析模块特定字段。
按需加载原则(重要)
- 禁止全量预加载: 不需要、也不应一次性加载全部
27个接口文档与脚本说明。 - 按任务最小读取: 仅按当前用户意图读取最小必要集合,优先模块级索引,再下钻单接口文档与单脚本说明。
- 分阶段扩展: 当需求变化时再增量读取下一个模块,避免提前加载无关接口。
- 组合调用路径:
SKILL.md(能力定位)→openapi/\x3Cmodule>/api-index.md(接口候选)→ 单接口openapi文档(请求契约)→scripts/\x3Cmodule>/README.md(参数规范)→ 单脚本执行。 - 跨模块最小闭环: 仅在业务链路确实需要时才跨模块组合,例如“附件汇报链路”只需
file-service+report-write,不应额外加载tasks/todos/plugin-report。
能力树
cms-cwork-skils/
├── SKILL.md
├── openapi/
│ ├── user-search/
│ │ ├── api-index.md
│ │ └── search-emp.md
│ ├── employee-service/
│ │ ├── api-index.md
│ │ ├── get-by-person-ids.md
│ │ └── get-org-info.md
│ ├── file-service/
│ │ ├── api-index.md
│ │ ├── get-download-info.md
│ │ └── upload-file.md
│ ├── report-write/
│ │ ├── api-index.md
│ │ ├── submit.md
│ │ └── reply.md
│ ├── inbox/
│ │ ├── api-index.md
│ │ └── get-list.md
│ ├── outbox/
│ │ ├── api-index.md
│ │ └── get-list.md
│ ├── report-detail/
│ │ ├── api-index.md
│ │ └── get-info.md
│ ├── tasks/
│ │ ├── api-index.md
│ │ ├── get-page.md
│ │ └── get-simple-plan-and-report-info.md
│ ├── todos/
│ │ ├── api-index.md
│ │ ├── get-list.md
│ │ ├── complete.md
│ │ └── list-created-feedbacks.md
│ ├── templates/
│ │ ├── api-index.md
│ │ ├── get-list.md
│ │ └── list-by-ids.md
│ ├── plugin-report/
│ │ ├── api-index.md
│ │ ├── get-list.md
│ │ ├── get-latest-list.md
│ │ └── get-unread-list.md
│ ├── report-query/
│ │ ├── api-index.md
│ │ ├── get-todo-list.md
│ │ ├── get-unread-list.md
│ │ └── is-report-read.md
│ ├── report-message/
│ │ ├── api-index.md
│ │ ├── find-my-new-msg-list.md
│ │ └── read-report.md
│ ├── ai-qa/
│ │ ├── api-index.md
│ │ └── ask-sse.md
│ └── plan-create/
│ ├── api-index.md
│ └── create-simple.md
├── examples/
│ ├── user-search/README.md # 含 3S1R 管理闭环
│ ├── employee-service/README.md # 含 3S1R 管理闭环
│ ├── file-service/README.md # 含 3S1R 管理闭环
│ ├── report-write/README.md # 含 3S1R 管理闭环(含写操作确认)
│ ├── inbox/README.md # 含 3S1R 管理闭环
│ ├── outbox/README.md # 含 3S1R 管理闭环
│ ├── report-detail/README.md # 含 3S1R 管理闭环
│ ├── tasks/README.md # 含 3S1R 管理闭环
│ ├── todos/README.md # 含 3S1R 管理闭环(含写操作确认)
│ ├── templates/README.md # 含 3S1R 管理闭环
│ ├── plugin-report/README.md # 含 3S1R 管理闭环
│ ├── report-query/README.md # 含 3S1R 管理闭环
│ ├── report-message/README.md # 含 3S1R 管理闭环(含写操作确认)
│ ├── ai-qa/README.md # 含 3S1R 管理闭环(含 SSE 说明)
│ └── plan-create/README.md # 含 3S1R 管理闭环(含写操作确认)
└── scripts/
├── user-search/
│ ├── search-emp.py
│ └── README.md
├── employee-service/
│ ├── get-by-person-ids.py
│ ├── get-org-info.py
│ └── README.md
├── file-service/
│ ├── get-download-info.py
│ ├── upload-file.py
│ └── README.md
├── report-write/
│ ├── submit.py
│ ├── reply.py
│ └── README.md
├── inbox/
│ ├── get-list.py
│ └── README.md
├── outbox/
│ ├── get-list.py
│ └── README.md
├── report-detail/
│ ├── get-info.py
│ └── README.md
├── tasks/
│ ├── get-page.py
│ ├── get-simple-plan-and-report-info.py
│ └── README.md
├── todos/
│ ├── get-list.py
│ ├── complete.py
│ ├── list-created-feedbacks.py
│ └── README.md
├── templates/
│ ├── get-list.py
│ ├── get-by-ids.py
│ └── README.md
├── plugin-report/
│ ├── get-list.py
│ ├── get-latest-list.py
│ ├── get-unread-list.py
│ └── README.md
├── report-query/
│ ├── get-todo-list.py
│ ├── get-unread-list.py
│ ├── is-report-read.py
│ └── README.md
├── report-message/
│ ├── find-my-new-msg-list.py
│ ├── read-report.py
│ └── README.md
├── ai-qa/
│ ├── ask-sse.py
│ └── README.md
└── plan-create/
├── create-simple.py
└── README.md
模块数量统计
| 分类 | 数量 | 说明 |
|---|---|---|
| 业务模块 | 15 | user-search / employee-service / file-service / report-write / inbox / outbox / report-detail / tasks / todos / templates / plugin-report / report-query / report-message / ai-qa / plan-create |
| API 接口文档 | 27 | 对两份主文档去重后形成的 27 个接口能力文档 |
| Python 脚本 | 27 | 与接口 1:1 映射 |
| 示例指引文档 | 15 | examples/\x3Cmodule>/README.md,含 3S1R 标准化流程 |
安全使用建议
This package appears to implement a real CWork API wrapper (scripts, OpenAPI docs match), but there are three main caution points:
1) Authentication handling: the skill relies on an external helper `cms-auth-skills` to produce an appKey and instructs the agent to never ask the user about tokens. Confirm where `cms-auth-skills` comes from and review its code/behavior. Do not run this skill until you trust that helper.
2) Auto-install instructions: SKILL.md tells the agent to run `npx ... install` and fall back to a GitHub repo. Running npx or installing from GitHub executes remote code and can modify your environment. Prefer to manually inspect and install `cms-auth-skills` from a vetted source (or reject the skill) rather than allowing automated installs.
3) Metadata/document mismatch & obfuscation signal: the registry metadata declares no required env vars, but scripts need appKey env vars. Also the pre-scan found unicode-control characters in SKILL.md (prompt-injection/obfuscation risk). Ask the publisher for a clear provenance statement and for the missing env/credential declarations to be fixed.
Practical steps before installing:
- Request the canonical source URL or a signed release for both this skill and cms-auth-skills; do not rely on npx fallbacks.
- Manually review the cms-auth-skills code, especially login.py --resolve-app-key, to see how credentials are obtained/stored and whether any secrets are transmitted to third parties.
- Run the scripts in an isolated sandbox without privileged credentials and with network restrictions until validated.
- If you will provide an appKey, ensure it is scoped and revocable; avoid supplying any broad or cloud-level secrets.
Because of these inconsistencies and the installation behavior, treat this skill as suspicious until provenance and the auth-install flow are validated.
功能分析
Type: OpenClaw Skill
Name: cms-cwork-skils
Version: 1.0.0
The skill bundle provides integration with the CWork collaboration platform via 27 Python scripts. It is classified as suspicious due to the systematic use of 'verify=False' in all network requests (e.g., scripts/report-write/submit.py and scripts/ai-qa/ask-sse.py), which disables SSL certificate validation and exposes the agent to man-in-the-middle attacks. Furthermore, the SKILL.md file includes instructions for the AI agent to perform forced software installations using 'npx clawhub' from a specific GitHub URL if dependencies are missing. While these behaviors appear intended for the stated functionality, they introduce significant security vulnerabilities and a high-risk execution path that could be exploited via prompt injection.
能力评估
Purpose & Capability
The skill name/description, openapi docs and Python scripts consistently implement CWork collaboration actions (search users, upload/download files, send/reply reports, todos, SSE AI QA). That fits the stated purpose. However the package metadata declares no required credentials or env vars while the SKILL.md and scripts explicitly rely on an `appKey` (XG_BIZ_API_KEY / XG_APP_KEY) provided by a separate helper skill (cms-auth-skills). The missing declaration of required credential/env in the registry metadata is an inconsistency.
Instruction Scope
SKILL.md explicitly instructs the agent to read cms-auth-skills/SKILL.md and — if not present — to run `npx clawhub@latest install cms-auth-skills --force` or fall back to installing from a GitHub repo. That is an instruction to fetch and execute external code. The SKILL.md also enforces a strict authentication charter (never ask user for tokens, only use the helper). While this may be intended to centralize auth, it also reduces transparency and could be used to hide credential handling. Scripts perform file uploads/downloads and require local file paths when uploading; those file operations are normal for the stated purpose but should only run with explicit user consent.
Install Mechanism
There is no formal install spec in registry metadata (instruction-only), but the runtime instructions direct the agent to run npx to install another skill and possibly pull from a GitHub repository. Using npx to fetch & run packages (and falling back to a GitHub repo) is higher risk because it executes remote code not pre-declared in the registry. The fallback to a direct GitHub install is especially sensitive.
Credentials
The manifest lists no required env vars, but the SKILL.md and scripts expect an `appKey` provided as environment variables (XG_BIZ_API_KEY / XG_APP_KEY) and rely on cms-auth-skills to produce it. No unrelated cloud credentials are requested. The mismatch between declared 'none' and actual appKey dependency is a proportionality/visibility issue that should be fixed before trust.
Persistence & Privilege
always:false (good), but runtime instructions instruct the agent to install another skill (cms-auth-skills) into the environment via npx/git. That is an action that changes the agent runtime (writes/installs code) and increases persistence/privilege surface. The skill does not itself declare always:true, but its install guidance effectively grants it the ability to pull and install code autonomously — a notable privilege.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install cms-cwork-skils - 安装完成后,直接呼叫该 Skill 的名称或使用
/cms-cwork-skils触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
cms-cwork-skils v1.0.0
- 提供 CWork 工作协同原子能力集,涵盖员工搜索、文件上传下载、汇报、收发件箱、消息、任务、待办、事项等协同场景
- 统一支持 appKey 鉴权模式,依赖 cms-auth-skills 组件进行安全校验
- 每个 API 接口均有 1:1 对应的 Python 脚本,便于自动化集成与组合调用
- 支持按需加载最小必要接口与脚本,带能力索引与详细目录结构说明
- 已实现 27 个主要协同接口,覆盖高频办公需求
- 附带完整示例文档和参数用法说明,方便快速使用
v1.0.2
更新到 v2.0,完善 CWork 协同工具,增加更多业务接口
v1.0.1
Initial release of cms-cwork-skils script binaries.
- Added 28 Python bytecode (`.pyc`) files covering main modules and interfaces.
- Each script corresponds 1:1 with a documented API capability, such as员工搜索, 文件上传下载, 汇报收发, 任务与待办管理, 等等.
- Enables automated execution of core CWork协同功能 via Python scripts, ready for integration and combination use.
- All scripts are compatible with appKey authentication as defined in cms-auth-skills.
v1.3.0
CWork工作协同原子能力集,覆盖员工搜索、文件上传下载、发送/回复汇报、收发件箱、汇报详情、任务、待办、事项、插件聚合、新消息、已读状态与AI问答
元数据
常见问题
Cms Cwork Skils 是什么?
CWork 工作协同原子能力集,覆盖员工搜索、文件上传下载、发送/回复汇报、收发件箱、汇报详情、任务、待办、事项、插件聚合、新消息、已读状态与 AI 问答;适用于“汇报、待办、任务、附件、消息、已读、员工查询”等场景;仅支持 appKey 鉴权并按需加载接口执行组合调用。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 165 次。
如何安装 Cms Cwork Skils?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install cms-cwork-skils」即可一键安装,无需额外配置。
Cms Cwork Skils 是免费的吗?
是的,Cms Cwork Skils 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Cms Cwork Skils 支持哪些平台?
Cms Cwork Skils 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Cms Cwork Skils?
由 spzwin(@spzwin)开发并维护,当前版本 v1.0.0。
推荐 Skills