Yunshang Aifei Cli Share

API client for Yunshang Aifei OA system enabling query and write operations on tasks, projects, users, and reports via encrypted REST calls without browser d...

This skill is a legitimate-looking API client for an internal OA system, but before installing consider the following: - The code expects AIFEI_USERNAME and AIFEI_PASSWORD in a .env file — the registry metadata did not declare these, so you must provide credentials for it to work. Keep the .env private. - For captcha solving the module will try to find a DASHSCOPE_API_KEY. If you do not set DASHSCOPE_API_KEY in .env, the module will scan your OpenClaw config (~/.openclaw/openclaw.json and a sibling path) and use any found provider apiKey to call DashScope. If you do not want this skill to access other tool credentials, remove that logic or ensure OpenClaw config does not contain reusable secrets. - The captcha solver sends base64 image data to an external model endpoint using the discovered API key. That is functional for automation but means an external service will process captcha images; confirm you are comfortable with that data flow and that the API key’s provider is trusted. - The client caches tokens in files inside the skill workspace. If multiple users share the workspace, tokens could be reused; secure the workspace directory. If you want to proceed but reduce risk: - Provide DASHSCOPE_API_KEY explicitly in .env tied to a limited-scope account, or disable/replace the captcha solver with a local/manual step. - Inspect and, if necessary, remove the code paths that read OpenClaw configuration before running. - Run the tool only on the intended internal network (the API endpoints are internal IPs) and review the generated .token-*.json files after use. Given the mismatches and the skill reading other config files for API keys, treat this as suspicious until you confirm or restrict the credential-access behavior.

Type: OpenClaw Skill Name: yunshang-aifei-cli-share Version: 1.0.0 The skill bundle provides a comprehensive CLI for the '云上艾飞' OA system, allowing an AI agent to perform tasks such as querying project lists, managing todos, and handling expense reports. It features a robust API client in `aifei_api.py` that implements SM4 encryption and a captcha solver in `modules/captcha_solver.py` that leverages Alibaba's DashScope API. While the captcha solver reads the OpenClaw global configuration file (`openclaw.json`) to find API keys and uses a constrained `eval()` for arithmetic verification, these behaviors are clearly aligned with the stated purpose of providing a seamless, zero-configuration experience for the user. No evidence of data exfiltration, malicious execution, or prompt injection was found.