cms-cwork Security Report — Trusted | ClawSafe

0 /100

cms-cwork

工作协同 (CWork) Agent-First Skill — 8 Python orchestration scripts for report sending/querying/reviewing, task creation/querying, nudge reminders, todo management, and template querying

A clean, standard-library-only Python API client for an internal CWork collaboration platform with no malicious behavior, no credential theft, no obfuscation, and perfect doc-to-code alignment.

Skill Namecms-cwork

Duration46.9s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns were identified.

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	All HTTP requests go to hardcoded domain https://sg-al-cwork-web.mediportal.com.…
Filesystem	`READ`	`READ`	✓ Aligned	upload_file() in cwork_api.py line 263 reads files only for attachment upload
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found in any script
Environment	`NONE`	`READ`	✓ Aligned	Reads only CWORK_APP_KEY and CWORK_BASE_URL from os.environ
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No direct database access
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation

1 findings

🔗

Medium External URL 外部 URL

https://sg-al-cwork-web.mediportal.com.cn

SKILL.md:24

File Tree

16 files · 132.2 KB · 4001 lines

Python 11f · 2721L Markdown 5f · 1280L

├─ ▾ 📁 design

│ ├─ 📝 DESIGN.md Markdown 168L · 5.7 KB

│ └─ 📝 LEARNING-LOOP.md Markdown 128L · 4.1 KB

├─ ▾ 📁 references

│ ├─ 📝 api-client.md Markdown 233L · 5.8 KB

│ ├─ 📝 api-endpoints.md Markdown 285L · 7.0 KB

│ └─ 🐍 original-api-client.py Python 482L · 15.9 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 cwork_api.py Python 482L · 15.9 KB

│ ├─ 🐍 cwork_client.py Python 525L · 18.5 KB

│ ├─ 🐍 cwork-create-task.py Python 87L · 3.3 KB

│ ├─ 🐍 cwork-nudge-report.py Python 174L · 6.6 KB

│ ├─ 🐍 cwork-query-report.py Python 103L · 3.6 KB

│ ├─ 🐍 cwork-query-tasks.py Python 192L · 7.6 KB

│ ├─ 🐍 cwork-review-report.py Python 114L · 4.1 KB

│ ├─ 🐍 cwork-send-report.py Python 344L · 11.9 KB

│ ├─ 🐍 cwork-templates.py Python 79L · 2.0 KB

│ └─ 🐍 cwork-todo.py Python 139L · 3.8 KB

└─ 📝 SKILL.md Markdown 466L · 16.4 KB

Security Positives

✓ Zero external dependencies — uses only Python 3 standard library (urllib, json, argparse, datetime)

✓ No shell execution, subprocess, os.system, or any command invocation

✓ No credential harvesting — only reads CWORK_APP_KEY from environment variable

✓ No data exfiltration — all network requests go to a single legitimate internal API domain

✓ No obfuscation — clean, readable Python code with no base64, eval, or exec

✓ No sensitive file/path access (no ~/.ssh, ~/.aws, .env access)

✓ No remote script execution (no curl|bash or wget|sh patterns)

✓ Perfect doc-to-code alignment — all documented capabilities match implementation

✓ No hidden functionality — every function is declared in SKILL.md

✓ Proper error handling with typed exceptions (CWorkError)

✓ Dry-run / preview-only modes for safe operation

✓ No persistence mechanisms (no cron, startup hooks, or backdoors)

✓ No supply chain risk — no external packages or unpinned dependencies

✓ Interactive confirmation prompts for destructive operations

Scan Report

File Tree

Security Positives