← 返回 Skills 市场
184
总下载
0
收藏
0
当前安装
17
版本数
在 OpenClaw 中安装
/install sn-work-record
功能描述
蜀宁 OA 工时管理,支持提交、修改、查询工时等功能。
安全使用建议
This skill's functionality (login, list, submit, query, update) is coherent with its code, but there are some things to check before installing:
- Confirm the missing declarations: SKILL.md and code require openssl and an OA_ENC_KEY (or a cached key file), yet the registry metadata listed no required binaries or env vars. Ask the author or maintainer to correct the registry metadata if you need explicit declarations for review/audit.
- Protect credentials: the skill reads a credentials file (~/.openclaw/workspace/memory/sn-work-record-credentials.md) which may be plain or .enc. If you use encryption, ensure OA_ENC_KEY is provided securely and file permissions restrict access (chmod 600). Prefer using .enc and providing the key only in a secure way.
- Evaluate the OCR handling: the captcha solver strips non-digit/operator characters then eval()s the expression. This is fragile — if the OCR output is malicious or the OA endpoint is compromised to return crafted captcha strings, eval could run unexpected code. If you will run this in a sensitive environment, review/modify the code to compute arithmetic safely (e.g., parse the expression into numbers/operators rather than eval).
- Check openssl availability: the code calls openssl via subprocess to decrypt files; ensure openssl on your system is the expected binary (absolute path if you want extra safety) and that using subprocess is acceptable in your environment.
- Network scope: the scripts will send credentials and tokens to the OA base URL you supply — confirm the base URL points to your internal OA server and not an untrusted external host.
- Run in isolation first: test in an isolated account/container with test OA credentials before using with real accounts.
If you are uncomfortable with any of the above or with the metadata mismatch, treat the skill as untrusted until the author clarifies and/or you harden the deployment (restrict files, review/patch eval usage, set explicit bin paths).
功能分析
Type: OpenClaw Skill
Name: sn-work-record
Version: 1.4.3
The skill automates work record management for a specific OA system but contains high-risk code patterns. Specifically, `oa_utils.py` uses `eval()` to solve arithmetic captchas after a regex filter, which is a classic RCE vulnerability pattern. Additionally, `runtime_bootstrap.py` implements a complex mechanism to automatically locate and execute alternative Python interpreters from various virtual environment paths (e.g., `~/.openclaw/workspace/ddddocr_env/bin/python`), which is an unusually powerful execution capability for a skill bundle. While these features appear intended for functionality and dependency management, they represent a significant attack surface.
能力标签
能力评估
Purpose & Capability
The name/description (蜀宁 OA 工时管理) matches the supplied scripts: login, list projects, submit/query/update time entries. However the registry metadata provided earlier lists no required binaries or env vars, while the SKILL.md and code explicitly require openssl (used to decrypt .enc credentials) and an OA_ENC_KEY. This mismatch is an incoherence in the declared requirements.
Instruction Scope
Runtime instructions and scripts stick to OA tasks (login, captcha solve, session creation, POST/PUT/GET calls to /sn/* endpoints). They read a credentials file (plaintext or .enc), decrypt with openssl if needed, and send tokens to the OA base URL. Two items to note: (1) captcha recognition pipeline uses OCR output that is sanitized then passed to eval() to compute arithmetic results — this relies on sanitization and is a potential code-injection risk if OCR or input is tampered; (2) scripts call external network endpoints (the user's OA system) and will transmit username/password and tokens as part of normal operation, which is expected for this skill but worth being explicit about.
Install Mechanism
No install spec (instruction-only) — the skill ships Python scripts that run in-place and perform runtime bootstrap (re-exec into a Python interpreter with required modules). This is lower risk than arbitrary remote installers, but the runtime_bootstrap will execve other Python binaries on disk and the scripts call subprocess.run for openssl; those behaviors are expected for the shipped code but give the skill the ability to execute local binaries.
Credentials
The skill requires access to OA credentials (username/password/base URL/default project) and supports encrypted credential files decrypted with OA_ENC_KEY or a file at ~/.openclaw/workspace/.cache/oa_enc_key. Those secrets are appropriate for an OA integration, but the registry metadata omitted declaring OA_ENC_KEY and required openssl — this discrepancy is concerning (either packaging omitted required secret declarations, or the skill silently depends on secrets/binaries not recorded). Requiring environment-held decryption keys and reading credential files is sensitive and should be explicitly declared.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not persist beyond its own files. It does re-exec into available Python interpreters (runtime_bootstrap) but that behavior is local to the process and documented in SKILL.md.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sn-work-record - 安装完成后,直接呼叫该 Skill 的名称或使用
/sn-work-record触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.4.3
Add privacy guidance: do not expose project/time-entry IDs in normal chat responses unless explicitly needed
v1.4.2
Hide project-specific IDs/names from docs and add state 30 mapping as 已审批
v1.9.0
Rename local env recommendation to sn_work_record_env; refresh runtime/skill docs; publish updated launcher and interpreter selection guidance
v1.4.1
新增统一 launcher 与运行时解释器自检/自动切换;补齐环境说明与工作流文档,移除对固定虚拟环境命名的硬编码依赖。
v1.8.0
本次更新:解决了一些已知问题。
v1.7.0
修复描述格式,使用 YAML 多行字符串保留完整描述
v1.6.0
本次更新:\n• 解决了一些已知问题。
v1.5.0
修复安全扫描问题:声明 OA_ENC_KEY 环境变量、openssl 二进制依赖、作者信息(chengcheng)
v1.4.0
重构为必须使用 chinese_calendar 库判断工作日,移除降级逻辑;函数从 is_holiday 改为 is_workday;自动处理调休补班情况
v1.3.0
使用 chinese_calendar 库自动判断节假日(支持 2004-2026 年),未安装时降级到硬编码 2026-2027 年
v1.2.0
新增节假日检查函数 is_holiday,提交前自动校验;api.md 增加节假日限制说明
v1.1.2
更新描述
v1.1.1
精简 skill 描述
v1.1.0
重构:抽取公共模块 oa_utils.py,统一凭证解析和验证码识别;支持加密凭证(.enc);fillDate 纯日期格式;修复 code 比较兼容性
v1.0.2
加密存储:凭证使用 AES-256-CBC 加密,passphrase 仅存内存不落盘
v1.0.1
安全更新:声明凭据要求,增加安全建议
v1.0.0
首次发布:查询、撤回、修改工时描述
元数据
常见问题
蜀宁 OA 工时管理 是什么?
蜀宁 OA 工时管理,支持提交、修改、查询工时等功能。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 184 次。
如何安装 蜀宁 OA 工时管理?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sn-work-record」即可一键安装,无需额外配置。
蜀宁 OA 工时管理 是免费的吗?
是的,蜀宁 OA 工时管理 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
蜀宁 OA 工时管理 支持哪些平台?
蜀宁 OA 工时管理 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 蜀宁 OA 工时管理?
由 ithou(@ithou)开发并维护,当前版本 v1.4.3。
推荐 Skills