← 返回 Skills 市场
96
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install navi-office
功能描述
NaviOffice OA 办公系统 MCP 集成技能 - 覆盖系统管理、人力资源、考勤、财务、CRM、销售、采购、库存、项目、生产、计量检测 11 大模块,支持数据查询与业务操作。
安全使用建议
This skill appears to be a genuine NaviOffice API client, but there are important red flags you should consider before installing or using it:
- Secrets required: The SKILL.md and the included scripts require NAVI_OFFICE_API_TOKEN (and optionally NAVI_OFFICE_API_URL and NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN), but the registry metadata lists no required env vars. Treat this as a transparency/packaging mistake — assume you must provide an API token for the skill to work.
- Broken domain validation: Both the JS and Python scripts have a bug that compares the parsed hostname to the full URL string 'https://oa.teredy.com/api'. As written, the scripts will reject the official domain and terminate unless NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true is set. That effectively forces users to enable "allow custom domain" to proceed, which is risky because it relaxes the whitelist and could allow the token to be sent to an arbitrary endpoint.
- Before using the skill, do one or more of the following:
- Inspect the scripts (navioffice.js / navioffice.py) yourself or ask the author to fix the domain-check bug so the allowed host is compared correctly (should compare hostname to 'oa.teredy.com' or compare the full URL string consistently). A safe fix: validate that the parsed hostname === 'oa.teredy.com' (or if you want to allow subdomains, check suffix).
- If you must test, use a non-production API token with minimal privileges and run the tool in an isolated environment/network where you can monitor outbound requests.
- Do not set NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true unless you fully trust the endpoint. If you do set it, ensure NAVI_OFFICE_API_URL points to a vetted, internal, or otherwise trusted host.
- Ask the publisher to update registry metadata to declare NAVI_OFFICE_API_TOKEN as a required env var so the platform can surface the requirement.
- Prefer the Python/Node shells only after verifying they send traffic to the intended hostname and not to unknown third parties.
Given the missing metadata and the domain-validation bug (which has a direct security impact), treat this package as suspicious until the author corrects the issues or you perform an independent code/network audit.
能力标签
能力评估
Purpose & Capability
The skill name/description (NaviOffice OA integration) aligns with the provided code and reference docs: the CLI scripts make authenticated HTTP calls to the described API and the references enumerate expected modules. However the registry metadata claims 'Required env vars: none' while the SKILL.md and the included scripts clearly require NAVI_OFFICE_API_TOKEN (and optionally NAVI_OFFICE_API_URL / NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN). This metadata omission is an inconsistency that reduces transparency.
Instruction Scope
SKILL.md and the scripts instruct the agent to read a .env file placed in the skill directory and to send requests to the configured API endpoint using X-Api-Token. That's reasonable for an API integration. However both the JS and Python scripts contain a broken domain validation check (they compare a hostname to the full URL string 'https://oa.teredy.com/api'), which will reject the official domain unless NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true is set. That behavior contradicts the SKILL.md security guidance and can push users to explicitly allow custom domains, increasing risk of sending tokens to arbitrary endpoints.
Install Mechanism
There is no install spec; the skill is instruction/code-only and does not download external archives or run an installer. That keeps install-time risk low. The skill does include three CLI scripts (shell, Python, Node) which will be executed by the agent or by the user if invoked.
Credentials
The runtime requires NAVI_OFFICE_API_TOKEN (and optionally NAVI_OFFICE_API_URL and NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN) to operate — appropriate for an API client. But the registry metadata does not declare any required env vars (discrepancy). Additionally, the broken domain validation forces users to set NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true (or otherwise circumvent validation), which is a disproportionate and dangerous action because it weakens the domain whitelist and can permit use of arbitrary endpoints that could receive the token.
Persistence & Privilege
The skill does not request 'always: true' or any elevated persistent platform privileges, nor does it modify other skills or system-wide configuration. It reads a .env from its own skill directory (documented).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install navi-office - 安装完成后,直接呼叫该 Skill 的名称或使用
/navi-office触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
- 增加了环境变量 NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN,允许自定义 API 域名,默认仅支持官方地址
- 安全说明中明确:如需自定义域名,需显式设定 NAVI_OFFICE_ALLOW_CUSTOM_DOMAIN=true
- 环境变量与安全说明更加详细,官方与非官方 API 地址的风险提醒更加突出
- 其他功能和调用规范未做更改
v1.0.2
- Added a sample environment variable configuration file: .env.example
- Updated documentation to reflect the default API URL as https://oa.teredy.com/api instead of https://api.navioffice.com
v1.0.1
navi-office 1.0.1
- 增加了“安装”说明及一键安装命令(clawdhub install navi-office)
- 新增环境变量与安全说明,强调默认凭证读取路径和官方 API 地址警示
- 明确环境变量 `NAVI_OFFICE_API_URL` 为可选,并补充请求头写法
- 其余使用规则、工具加载机制等内容未变
v1.0.0
NaviOffice OA 办公系统技能首次发布,支持 11 个核心业务模块集成:
- 覆盖系统管理、人力资源、考勤、财务、CRM、销售、采购、库存、项目、生产、计量检测全业务流程。
- 提供分模块工具,支持数据查询与业务操作。
- 引入渐进式工具加载策略,减少 token 消耗,按需加载相关模块工具。
- 支持 CLI 脚本调用与 JSON 参数传递,适用于多种开发环境。
- 明确调用规范,包括名称模糊查询、分页、日期格式、权限校验等,提升操作一致性与安全性。
元数据
常见问题
NaviOffice Skill 是什么?
NaviOffice OA 办公系统 MCP 集成技能 - 覆盖系统管理、人力资源、考勤、财务、CRM、销售、采购、库存、项目、生产、计量检测 11 大模块,支持数据查询与业务操作。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 96 次。
如何安装 NaviOffice Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install navi-office」即可一键安装,无需额外配置。
NaviOffice Skill 是免费的吗?
是的,NaviOffice Skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
NaviOffice Skill 支持哪些平台?
NaviOffice Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 NaviOffice Skill?
由 vincent66(@zhaowb82)开发并维护,当前版本 v1.0.3。
推荐 Skills