← 返回 Skills 市场
微盛企微管家SCRM
作者
fangfang19
· GitHub ↗
· v1.0.3
· MIT-0
73
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install wecom-weisheng-scrm
功能描述
当用户需要查询或管理微盛企微管家(企业微信) SCRM 中的客户信息、客户标签、客户群、营销素材、活码、群发、跟进记录、聊天记录、联系人、商机、汇报、抽奖、客户日程等相关业务能力时触发。即使用户未明确提到 SCRM、企微管家、开放接口或 API,也应在这些企业微信客户运营与管理场景下触发。
安全使用建议
Key things to consider before installing:
- The skill actually needs a personal APP KEY (SCRM_APP_KEY) to work, but the registry entry did not declare any required env vars — assume the skill will ask for and store your APP_KEY. Verify you trust the source before providing it.
- The runbook tells the agent to run local Python scripts and to automatically execute an export command containing your APP_KEY (export SCRM_APP_KEY='...'). That means the skill will run shell commands and will persist the APP_KEY into your shell profile and into local cache files. Only proceed if you are comfortable with the skill modifying your shell profile and storing secrets on disk.
- The code communicates with https://open.wshoto.com (the intended service) and includes domain whitelisting for document fetches, which is consistent, but you should review the code yourself or have a trusted reviewer do so to ensure there is no hidden exfiltration to other endpoints.
- Recommended mitigations: install only from a trusted publisher; review scripts for any unexpected network endpoints or command execution; test in an isolated environment or VM first; do not provide highly-privileged account credentials unless necessary; consider manually setting APP_KEY in a controlled way rather than letting the skill persist it automatically; restrict file permissions on .cache and logs if you proceed.
If you want, I can list the exact locations where secrets are read/written and point to the lines in the scripts that implement export_hint, set-app-key, and profile writes so you can inspect them more closely.
功能分析
Type: OpenClaw Skill
Name: wecom-weisheng-scrm
Version: 1.0.3
The skill bundle is a legitimate integration for the WeCom Weisheng SCRM platform. It follows a well-structured design with clear operational boundaries, including a domain-restricted fetcher (scripts/raw_fetcher.py) limited to 'open.wshoto.com' and an identity management system (scripts/identity_manager.py) that enforces role-based access control at the agent level. While the tool includes a command to persist API keys by modifying shell profiles (scripts/scrm.py), this behavior is explicitly documented for user convenience rather than stealthy persistence. No evidence of data exfiltration, unauthorized remote execution, or malicious prompt injection was found.
能力标签
能力评估
Purpose & Capability
The repository and SKILL.md clearly require a personal APP KEY (SCRM_APP_KEY) to call the open.wshoto.com APIs and to fetch tokens, which is consistent with the skill's purpose. However, the registry metadata lists no required environment variables or primary credential — that is inconsistent with the actual code and README which require SCRM_APP_KEY. The skill reads and writes local shell profiles and caches tokens, which is plausible for this integration but expands its footprint beyond a simple read-only skill.
Instruction Scope
The SKILL.md and references/agent-runbook.md explicitly instruct the agent to run local scripts (python3 scripts/scrm.py and others), to run check-env immediately, to restore and then immediately execute an exported command (export_hint) that contains the APP_KEY, and to persist APP_KEY via set-app-key into shell profiles. The runbook mandates executing script outputs (export commands) without an extra confirmation step; relying on script output to construct shell commands that are executed by the agent increases risk if the code or outputs are tampered with. The skill also reads shell profile files and Windows registry keys to recover credentials — that is functionally coherent but sensitive.
Install Mechanism
There is no remote download/install step in the skill manifest; install.sh only creates a symlink into ~/.openclaw/skills. No network-based installer or third-party package fetch is used. This is lower install-surface risk compared with fetching an external archive.
Credentials
Requesting SCRM_APP_KEY and using it to obtain an access_token is proportionate to the described purpose. However the registry metadata omission (no declared required env vars) is misleading. The skill also persists secrets into shell profile files and caches tokens and identity to disk (.cache/, logs/), which is functionally useful but increases sensitive data exposure and persistence beyond a single-run scope.
Persistence & Privilege
The skill persists the APP_KEY into shell profile files via set-app-key and writes token/identity caches in .cache, and logs to logs/scrm.log. The SKILL.md instructs the agent to immediately execute export commands returned by check-env (export_hint) to make the variable effective in the current shell — this requires the agent to run shell commands constructed from script output. While not 'always:true', the skill still requests ongoing local presence and the ability to modify shell startup files and write caches; that combination increases blast radius if the skill or its outputs are tampered with.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wecom-weisheng-scrm - 安装完成后,直接呼叫该 Skill 的名称或使用
/wecom-weisheng-scrm触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
首版发布:覆盖客户、标签、群聊、素材、活码、群发、跟进、会话存档、商机等SCRM全场景
元数据
常见问题
微盛企微管家SCRM 是什么?
当用户需要查询或管理微盛企微管家(企业微信) SCRM 中的客户信息、客户标签、客户群、营销素材、活码、群发、跟进记录、聊天记录、联系人、商机、汇报、抽奖、客户日程等相关业务能力时触发。即使用户未明确提到 SCRM、企微管家、开放接口或 API,也应在这些企业微信客户运营与管理场景下触发。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 73 次。
如何安装 微盛企微管家SCRM?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wecom-weisheng-scrm」即可一键安装,无需额外配置。
微盛企微管家SCRM 是免费的吗?
是的,微盛企微管家SCRM 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
微盛企微管家SCRM 支持哪些平台?
微盛企微管家SCRM 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 微盛企微管家SCRM?
由 fangfang19(@fangfang19)开发并维护,当前版本 v1.0.3。
推荐 Skills