← 返回 Skills 市场
94
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install sfe-sxk-data-viewer
功能描述
SFE深西康专属数据查询工具,用于快速查询深西康专属采集项目报表的数据,如新活素查房日采集反馈V2等特定项目的明细报表或汇总报表
安全使用建议
Key things to consider before installing or using this skill:
- The Python scripts do require an appKey (XG_BIZ_API_KEY or XG_APP_KEY) even though the skill metadata doesn't declare it — don't provide that secret until you've reviewed/trusted the code and the remote API. Consider running the scripts locally first and inspect network calls.
- The request library in the script explicitly disables TLS verification (verify=False). This reduces security of the appKey and data in transit; ask the maintainer to remove verify=False or ensure you run in a trusted network.
- SKILL.md tells the agent to install a dependency (cms-auth-skills) via npx or from a GitHub URL if missing. That means the agent may execute network installs of third-party code; review the cms-auth-skills project source before allowing any auto-install.
- If you plan to grant the appKey, prefer running the provided scripts yourself in a controlled environment and inspect them for any exfiltration or unexpected endpoints. If you must use the skill hosted in an agent, only proceed if you trust the owner and the cms-auth-skills package, and consider rotating the appKey afterward.
- If you have low tolerance for supply-chain risk, decline or request the author to (a) declare required env vars in metadata, (b) remove insecure TLS settings, and (c) vendor/declare the cms-auth-skills dependency explicitly rather than instructing runtime npx installs.
功能分析
Type: OpenClaw Skill
Name: sfe-sxk-data-viewer
Version: 1.0.0
The skill bundle contains a security vulnerability and a potential supply chain risk. The script `scripts/sfe-sxk/xhs-ward-rounds-report-v2.py` explicitly disables SSL certificate verification (`verify=False`), which makes the connection to `erp-web.mediportal.com.cn` vulnerable to Man-in-the-Middle (MITM) attacks. Additionally, `SKILL.md` instructs the AI agent to execute `npx clawhub` to install a dependency from a specific external GitHub repository (`spzwin/cms-auth-skills.git`) if it is missing, which is a high-risk pattern for supply chain injection. While these appear to be operational choices rather than intentional malware, they exceed the threshold for benign classification.
能力评估
Purpose & Capability
The skill's name/description (SFE 深西康 data queries) matches the included API docs and Python scripts that call the stated ERP endpoint. However the package metadata claims no required environment variables while the scripts and documentation clearly require an application key (XG_BIZ_API_KEY or XG_APP_KEY). Also the SKILL.md declares a dependency on cms-auth-skills but that dependency is not bundled — the skill instructs the agent to install it at runtime. These are proportional to the purpose but are inconsistently declared.
Instruction Scope
SKILL.md enforces a workflow that will (a) read cms-auth-skills/SKILL.md for auth rules and, if missing, (b) run npx clawhub@latest install cms-auth-skills --force or fallback to installing a GitHub repo. That instructs the agent to perform network installs of third-party code. The runtime scripts call the external ERP API and require an appKey. The SKILL.md also requires all API calls go through the provided scripts (reasonable), but it grants the agent discretion to install external packages — this is scope creep and a potential supply-chain risk.
Install Mechanism
There is no formal install spec in the skill metadata (lowest-risk), but SKILL.md instructs the agent to run npx to install cms-auth-skills or fall back to a GitHub URL. That is effectively an install mechanism triggered at runtime and would pull code from the network (npm / GitHub). Pulling and executing external code via npx from an unknown source increases risk and is not declared in the registry metadata.
Credentials
The skill metadata lists no required env vars, but scripts/docs require an appKey via XG_BIZ_API_KEY or XG_APP_KEY — a clear mismatch. Requesting that appKey is proportionate to the stated ERP API purpose, but the omission from metadata is an inconsistency. No other unrelated credentials are requested. Note: the script disables TLS verification (requests.verify=False), which raises the risk that the appKey or returned data could be exposed to a man-in-the-middle attacker.
Persistence & Privilege
The skill does not request always: true and does not declare persistent system-wide privileges. It does not itself modify other skills or claim to change agent-wide settings. The main persistence/privilege risk comes from the SKILL.md instruction to run npx install commands (which would write and execute code), but the skill metadata does not request elevated privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sfe-sxk-data-viewer - 安装完成后,直接呼叫该 Skill 的名称或使用
/sfe-sxk-data-viewer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of SFE深西康数据查询 (sfe-sxk-data-viewer) skill.
- 提供深西康专属采集项目(如新活素查房日采集反馈V2)明细及汇总报表查询能力
- 所有接口均需通过 Python 脚本调用,结果统一经 TOON 编码输出
- 依赖 cms-auth-skills 组件,实现标准化鉴权流程
- 严格分离模块,先文档后脚本,强制按需加载,保障数据安全与生产环境规范
- 提供标准化能力树、意图路由与实用示例模板
元数据
常见问题
Sfe Sxk Data Viewer 是什么?
SFE深西康专属数据查询工具,用于快速查询深西康专属采集项目报表的数据,如新活素查房日采集反馈V2等特定项目的明细报表或汇总报表. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 94 次。
如何安装 Sfe Sxk Data Viewer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sfe-sxk-data-viewer」即可一键安装,无需额外配置。
Sfe Sxk Data Viewer 是免费的吗?
是的,Sfe Sxk Data Viewer 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Sfe Sxk Data Viewer 支持哪些平台?
Sfe Sxk Data Viewer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Sfe Sxk Data Viewer?
由 spzwin(@spzwin)开发并维护,当前版本 v1.0.0。
推荐 Skills