扫描报告
5 /100
cms-cwork
CWork API 封装脚本集 — 搜索员工、发送/查询汇报、管理待办和任务
A clean CWork API wrapper with no malicious behavior: all network requests go to the declared endpoint, credentials are only used for API auth, file reads are scoped to declared attachment uploads, no external dependencies, and no obfuscation or hidden functionality.
可以安装
This skill is safe to use. No security concerns identified. The skill correctly handles credentials and only communicates with the declared CWork API endpoint.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 提示 | Minor: cwork_client.py and cwork_api.py are near-identical duplicates 文档欺骗 | scripts/cwork_api.py:1 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | All urllib requests target self.BASE_URL = https://sg-al-cwork-web.mediportal.co… |
| 文件系统 | READ | READ | ✓ 一致 | cwork_client.py:418 — open(file_path, 'rb') for declared attachment upload only |
| 环境变量 | READ | READ | ✓ 一致 | os.environ.get('CWORK_APP_KEY') used solely for CWork API authentication |
| 命令执行 | NONE | NONE | — | No subprocess, os.system, or shell execution found |
3 项发现
中危 外部 URL 外部 URL
https://.../searchEmpByName?searchKey=张 SKILL.md:87 中危 外部 URL 外部 URL
https://.../submit SKILL.md:98 中危 外部 URL 外部 URL
https://sg-al-cwork-web.mediportal.com.cn SKILL.md:196 目录结构
41 文件 · 319.6 KB · 9802 行 Python 24f · 6082L
Markdown 16f · 3715L
JSON 1f · 5L
├─
▾
cms-cwork
│ ├─
▾
design
│ │ ├─
DESIGN.md
Markdown
│ │ ├─
IMPROVEMENT-LOG.md
Markdown
│ │ ├─
LEARNING-LOOP.md
Markdown
│ │ └─
USAGE-ISSUES-LOG.md
Markdown
│ ├─
▾
drafts
│ │ └─
api-keyword-search-demand.md
Markdown
│ ├─
▾
references
│ │ ├─
api-client.md
Markdown
│ │ ├─
api-endpoints.md
Markdown
│ │ └─
original-api-client.py
Python
│ ├─
▾
scripts
│ │ ├─
cwork_api.py
Python
│ │ ├─
cwork_client.py
Python
│ │ ├─
cwork-create-task.py
Python
│ │ ├─
cwork-nudge-report.py
Python
│ │ ├─
cwork-query-report.py
Python
│ │ ├─
cwork-query-tasks.py
Python
│ │ ├─
cwork-review-report.py
Python
│ │ ├─
cwork-search-emp.py
Python
│ │ ├─
cwork-send-report.py
Python
│ │ ├─
cwork-templates.py
Python
│ │ └─
cwork-todo.py
Python
│ ├─
_meta.json
JSON
│ └─
SKILL.md
Markdown
├─
▾
design
│ ├─
DESIGN.md
Markdown
│ ├─
IMPROVEMENT-LOG.md
Markdown
│ ├─
LEARNING-LOOP.md
Markdown
│ └─
USAGE-ISSUES-LOG.md
Markdown
├─
▾
drafts
│ └─
api-keyword-search-demand.md
Markdown
├─
▾
references
│ ├─
api-client.md
Markdown
│ ├─
api-endpoints.md
Markdown
│ └─
original-api-client.py
Python
├─
▾
scripts
│ ├─
cwork_api.py
Python
│ ├─
cwork_client.py
Python
│ ├─
cwork-create-task.py
Python
│ ├─
cwork-nudge-report.py
Python
│ ├─
cwork-query-report.py
Python
│ ├─
cwork-query-tasks.py
Python
│ ├─
cwork-review-report.py
Python
│ ├─
cwork-search-emp.py
Python
│ ├─
cwork-send-report.py
Python
│ ├─
cwork-templates.py
Python
│ └─
cwork-todo.py
Python
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
Python standard library only | 3.10+ | stdlib | 否 | urllib, json, argparse, datetime, pathlib, mimetypes, sys, os — no pip packages needed |
安全亮点
✓ Zero external dependencies — pure Python standard library (urllib, json, argparse, datetime, pathlib, mimetypes)
✓ No subprocess, shell execution, or command injection vectors
✓ All network requests are confined to the declared CWork API endpoint
✓ CWORK_APP_KEY credential is only used for authenticating to the legitimate CWork API, never exfiltrated
✓ No obfuscation (no base64, eval, exec, or encoded strings)
✓ No sensitive file path access (no ~/.ssh, ~/.aws, .env, or similar paths)
✓ File reads are scoped to declared attachment upload functionality via --file-paths parameter
✓ Documentation accurately reflects all implemented capabilities
✓ Includes dry-run/preview modes for safe write operations
✓ Consistent error handling with structured JSON output on both stdout and stderr