cms-cwork Security Report — Trusted | ClawSafe

5 /100

cms-cwork

CWork API 封装脚本集 — 搜索员工、发送/查询汇报、管理待办和任务

A clean CWork API wrapper with no malicious behavior: all network requests go to the declared endpoint, credentials are only used for API auth, file reads are scoped to declared attachment uploads, no external dependencies, and no obfuscation or hidden functionality.

Skill Namecms-cwork

Duration73.5s

Enginepi

✓

Safe to install

This skill is safe to use. No security concerns identified. The skill correctly handles credentials and only communicates with the declared CWork API endpoint.

Findings 1 items

Severity	Finding	Location
Info	Minor: cwork_client.py and cwork_api.py are near-identical duplicates Doc Mismatch scripts/cwork_client.py and scripts/cwork_api.py share ~95% identical code. This is a maintenance concern rather than a security issue — both are Python standard library only with no functional difference. `Entire file is a near-copy of cwork_client.py` → Consolidate into a single shared module to reduce code duplication and maintenance burden.	`scripts/cwork_api.py:1`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	All urllib requests target self.BASE_URL = https://sg-al-cwork-web.mediportal.co…
Filesystem	`READ`	`READ`	✓ Aligned	cwork_client.py:418 — open(file_path, 'rb') for declared attachment upload only
Environment	`READ`	`READ`	✓ Aligned	os.environ.get('CWORK_APP_KEY') used solely for CWork API authentication
Shell	`NONE`	`NONE`	—	No subprocess, os.system, or shell execution found

3 findings

🔗

Medium External URL 外部 URL

https://.../searchEmpByName?searchKey=张

SKILL.md:87

🔗

Medium External URL 外部 URL

https://.../submit

SKILL.md:98

🔗

Medium External URL 外部 URL

https://sg-al-cwork-web.mediportal.com.cn

SKILL.md:196

File Tree

41 files · 319.6 KB · 9802 lines

Python 24f · 6082L Markdown 16f · 3715L JSON 1f · 5L

├─ ▾ 📁 cms-cwork

│ ├─ ▾ 📁 design

│ │ ├─ 📝 DESIGN.md Markdown 168L · 5.7 KB

│ │ ├─ 📝 IMPROVEMENT-LOG.md Markdown 98L · 3.1 KB

│ │ ├─ 📝 LEARNING-LOOP.md Markdown 128L · 4.1 KB

│ │ └─ 📝 USAGE-ISSUES-LOG.md Markdown 203L · 6.4 KB

│ ├─ ▾ 📁 drafts

│ │ └─ 📝 api-keyword-search-demand.md Markdown 11L · 374 B

│ ├─ ▾ 📁 references

│ │ ├─ 📝 api-client.md Markdown 233L · 5.8 KB

│ │ ├─ 📝 api-endpoints.md Markdown 285L · 7.0 KB

│ │ └─ 🐍 original-api-client.py Python 482L · 15.9 KB

│ ├─ ▾ 📁 scripts

│ │ ├─ 🐍 cwork_api.py Python 482L · 15.9 KB

│ │ ├─ 🐍 cwork_client.py Python 613L · 21.0 KB

│ │ ├─ 🐍 cwork-create-task.py Python 87L · 3.3 KB

│ │ ├─ 🐍 cwork-nudge-report.py Python 174L · 6.6 KB

│ │ ├─ 🐍 cwork-query-report.py Python 130L · 5.1 KB

│ │ ├─ 🐍 cwork-query-tasks.py Python 192L · 7.6 KB

│ │ ├─ 🐍 cwork-review-report.py Python 114L · 4.1 KB

│ │ ├─ 🐍 cwork-search-emp.py Python 196L · 6.0 KB

│ │ ├─ 🐍 cwork-send-report.py Python 353L · 12.3 KB

│ │ ├─ 🐍 cwork-templates.py Python 79L · 2.0 KB

│ │ └─ 🐍 cwork-todo.py Python 139L · 3.8 KB

│ ├─ 📋 _meta.json JSON 5L · 128 B

│ └─ 📝 SKILL.md Markdown 698L · 22.9 KB

├─ ▾ 📁 design

│ ├─ 📝 DESIGN.md Markdown 168L · 5.7 KB

│ ├─ 📝 IMPROVEMENT-LOG.md Markdown 98L · 3.1 KB

│ ├─ 📝 LEARNING-LOOP.md Markdown 128L · 4.1 KB

│ └─ 📝 USAGE-ISSUES-LOG.md Markdown 203L · 6.4 KB

├─ ▾ 📁 drafts

│ └─ 📝 api-keyword-search-demand.md Markdown 11L · 374 B

├─ ▾ 📁 references

│ ├─ 📝 api-client.md Markdown 233L · 5.8 KB

│ ├─ 📝 api-endpoints.md Markdown 285L · 7.0 KB

│ └─ 🐍 original-api-client.py Python 482L · 15.9 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 cwork_api.py Python 482L · 15.9 KB

│ ├─ 🐍 cwork_client.py Python 613L · 21.0 KB

│ ├─ 🐍 cwork-create-task.py Python 87L · 3.3 KB

│ ├─ 🐍 cwork-nudge-report.py Python 174L · 6.6 KB

│ ├─ 🐍 cwork-query-report.py Python 130L · 5.1 KB

│ ├─ 🐍 cwork-query-tasks.py Python 192L · 7.6 KB

│ ├─ 🐍 cwork-review-report.py Python 114L · 4.1 KB

│ ├─ 🐍 cwork-search-emp.py Python 196L · 6.0 KB

│ ├─ 🐍 cwork-send-report.py Python 353L · 12.3 KB

│ ├─ 🐍 cwork-templates.py Python 79L · 2.0 KB

│ └─ 🐍 cwork-todo.py Python 139L · 3.8 KB

└─ 📝 SKILL.md Markdown 765L · 24.7 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`Python standard library only`	`3.10+`	stdlib	No	urllib, json, argparse, datetime, pathlib, mimetypes, sys, os — no pip packages needed

Security Positives

✓ Zero external dependencies — pure Python standard library (urllib, json, argparse, datetime, pathlib, mimetypes)

✓ No subprocess, shell execution, or command injection vectors

✓ All network requests are confined to the declared CWork API endpoint

✓ CWORK_APP_KEY credential is only used for authenticating to the legitimate CWork API, never exfiltrated

✓ No obfuscation (no base64, eval, exec, or encoded strings)

✓ No sensitive file path access (no ~/.ssh, ~/.aws, .env, or similar paths)

✓ File reads are scoped to declared attachment upload functionality via --file-paths parameter

✓ Documentation accurately reflects all implemented capabilities

✓ Includes dry-run/preview modes for safe write operations

✓ Consistent error handling with structured JSON output on both stdout and stderr

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives