cms-cwork 安全扫描报告 — 可信 | ClawSafe

0 /100

cms-cwork

工作协同 (CWork) Agent-First Skill — 8 Python orchestration scripts for report sending/querying/reviewing, task creation/querying, nudge reminders, todo management, and template querying

A clean, standard-library-only Python API client for an internal CWork collaboration platform with no malicious behavior, no credential theft, no obfuscation, and perfect doc-to-code alignment.

技能名称cms-cwork

分析耗时46.9s

引擎pi

✓

可以安装

This skill is safe to use. No security concerns were identified.

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	All HTTP requests go to hardcoded domain https://sg-al-cwork-web.mediportal.com.…
文件系统	`READ`	`READ`	✓ 一致	upload_file() in cwork_api.py line 263 reads files only for attachment upload
命令执行	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found in any script
环境变量	`NONE`	`READ`	✓ 一致	Reads only CWORK_APP_KEY and CWORK_BASE_URL from os.environ
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No direct database access
技能调用	`NONE`	`NONE`	—	No cross-skill invocation

1 项发现

🔗

中危外部 URL 外部 URL

https://sg-al-cwork-web.mediportal.com.cn

SKILL.md:24

目录结构

16 文件 · 132.2 KB · 4001 行

Python 11f · 2721L Markdown 5f · 1280L

├─ ▾ 📁 design

│ ├─ 📝 DESIGN.md Markdown 168L · 5.7 KB

│ └─ 📝 LEARNING-LOOP.md Markdown 128L · 4.1 KB

├─ ▾ 📁 references

│ ├─ 📝 api-client.md Markdown 233L · 5.8 KB

│ ├─ 📝 api-endpoints.md Markdown 285L · 7.0 KB

│ └─ 🐍 original-api-client.py Python 482L · 15.9 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 cwork_api.py Python 482L · 15.9 KB

│ ├─ 🐍 cwork_client.py Python 525L · 18.5 KB

│ ├─ 🐍 cwork-create-task.py Python 87L · 3.3 KB

│ ├─ 🐍 cwork-nudge-report.py Python 174L · 6.6 KB

│ ├─ 🐍 cwork-query-report.py Python 103L · 3.6 KB

│ ├─ 🐍 cwork-query-tasks.py Python 192L · 7.6 KB

│ ├─ 🐍 cwork-review-report.py Python 114L · 4.1 KB

│ ├─ 🐍 cwork-send-report.py Python 344L · 11.9 KB

│ ├─ 🐍 cwork-templates.py Python 79L · 2.0 KB

│ └─ 🐍 cwork-todo.py Python 139L · 3.8 KB

└─ 📝 SKILL.md Markdown 466L · 16.4 KB

安全亮点

✓ Zero external dependencies — uses only Python 3 standard library (urllib, json, argparse, datetime)

✓ No shell execution, subprocess, os.system, or any command invocation

✓ No credential harvesting — only reads CWORK_APP_KEY from environment variable

✓ No data exfiltration — all network requests go to a single legitimate internal API domain

✓ No obfuscation — clean, readable Python code with no base64, eval, or exec

✓ No sensitive file/path access (no ~/.ssh, ~/.aws, .env access)

✓ No remote script execution (no curl|bash or wget|sh patterns)

✓ Perfect doc-to-code alignment — all documented capabilities match implementation

✓ No hidden functionality — every function is declared in SKILL.md

✓ Proper error handling with typed exceptions (CWorkError)

✓ Dry-run / preview-only modes for safe operation

✓ No persistence mechanisms (no cron, startup hooks, or backdoors)

✓ No supply chain risk — no external packages or unpinned dependencies

✓ Interactive confirmation prompts for destructive operations