← 返回 Skills 市场
116
总下载
0
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install sfe-dm-data-viewer
功能描述
SFE德镁专属数据查询工具,用于查询百卢妥日采集反馈等德镁定制化数据
安全使用建议
This skill appears to implement the functionality it claims, but there are several red flags you should consider before installing or running it:
- Secrets / env vars: The included scripts require an app key via XG_BIZ_API_KEY or XG_APP_KEY, but the skill metadata did not declare this. Expect to provide that secret if you run the scripts. Only set such keys if you trust the API and code.
- Automatic install of another skill: SKILL.md tells the agent to run 'npx clawhub@latest install cms-auth-skills --force' (and a GitHub fallback). That will download and install external code at runtime. Review the cms-auth-skills code/repo first and avoid automatic installs from unknown sources.
- Missing runtime assumptions: The instructions assume 'npx'/'clawhub' are available; the skill metadata did not declare required binaries. If the agent attempts to run those commands and they are present, code will be fetched and executed.
- TLS verification disabled: Both API scripts call requests.post(..., verify=False), which disables HTTPS certificate verification — this makes network communication vulnerable to MITM and could leak the app key. You should modify scripts to use verify=True (or remove the flag) before running in production.
- Code review: The TOON encoder is large but appears to be a serialization utility. Still, review the cms-auth-skills (if installed) and included scripts for any additional network calls, logging of secrets, or persistence of credentials.
Recommendations: do not let the agent auto-run the npx install; instead manually inspect cms-auth-skills repository and the included scripts. Fix verify=False, ensure you only provide the minimal API key needed, and run the scripts in a controlled environment first (or run curl requests manually if you prefer). If you are not comfortable reviewing the external cms-auth-skills code, avoid installing or running this skill.
功能分析
Type: OpenClaw Skill
Name: sfe-dm-data-viewer
Version: 1.0.1
The skill bundle provides tools for querying business data from a remote API (erp-web.mediportal.com.cn). It contains a security vulnerability where SSL certificate verification is explicitly disabled (verify=False) in the scripts 'balutamide-daily-feedback.py' and 'balutamide-statistics-by-region.py', exposing the agent to potential Man-in-the-Middle attacks. Additionally, 'SKILL.md' includes instructions for the agent to perform forced dependency installations via npx and external GitHub URLs, which increases the supply chain risk profile.
能力评估
Purpose & Capability
Name/description, openapi docs, examples, and Python scripts are coherent: the package is focused on querying the erp-web.mediportal.com.cn API for SFE/DM data and returning results encoded with the included TOON encoder.
Instruction Scope
SKILL.md instructs the agent to automatically install and use cms-auth-skills (via 'npx clawhub@latest install ...' and a GitHub fallback) if it's not present. It also mandates that the agent must run the included Python scripts (not call APIs directly). These are actionable instructions that involve network downloads and code execution beyond merely reading docs.
Install Mechanism
There is no formal install spec in registry metadata, but SKILL.md tells the agent to run npx clawhub to install cms-auth-skills and provides a GitHub repository fallback. That directs the agent to fetch and install external code at runtime from a third-party repo — higher-risk than an instruction-only skill and not a well-defined package source.
Credentials
Registry metadata declares no required env vars, yet both scripts expect an app key in XG_BIZ_API_KEY or XG_APP_KEY. The SKILL.md references cms-auth-skills for preparing appKey, but the skill fails to declare the credential requirements up-front. Requiring an appKey is reasonable for the API, but the omission in metadata is an inconsistency.
Persistence & Privilege
always is false and the skill does not request permanent presence. However, SKILL.md explicitly directs the agent to install another skill (cms-auth-skills) if missing, which effectively causes the agent environment to change by adding new skills; this is a privileged action and should be done only with explicit user approval.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sfe-dm-data-viewer - 安装完成后,直接呼叫该 Skill 的名称或使用
/sfe-dm-data-viewer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
更新技能描述和文档
v1.0.0
首次发布:SFE德镁专属数据查询工具,用于查询百卢妥日采集反馈等德镁定制化数据
元数据
常见问题
Sfe Dm Data Viewer 是什么?
SFE德镁专属数据查询工具,用于查询百卢妥日采集反馈等德镁定制化数据. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 116 次。
如何安装 Sfe Dm Data Viewer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sfe-dm-data-viewer」即可一键安装,无需额外配置。
Sfe Dm Data Viewer 是免费的吗?
是的,Sfe Dm Data Viewer 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Sfe Dm Data Viewer 支持哪些平台?
Sfe Dm Data Viewer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Sfe Dm Data Viewer?
由 spzwin(@spzwin)开发并维护,当前版本 v1.0.1。
推荐 Skills