📦 Cms Report Issue — 问题反馈

v1.0.2

统一入口，用于在 Skill 使用过程中快速提交 bug、报错、改进建议并查看/关闭 issue，支持 stdin 管道接收错误输出，与 cms-create-skill 和 cms-push-skill 无缝衔接。

0· 80·1 当前·1 累计

by @spzwin

开发工具测试工具文档工具

下载技能包

最后更新

2026/4/7

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

high confidence

NULL

评估建议

This skill implements report/list/update of issues and calls a remote API by default (https://skills.mediportal.com.cn). Before installing: 1) Inspect or run the included Python scripts locally — they will POST error text (including stdin) to the remote service. 2) Be cautious that the scripts disable TLS certificate checks (insecure — enables MITM). 3) Note they read XG_USER_TOKEN/access-token/ACCESS_TOKEN from the environment even though metadata didn't declare credentials; avoid having sensit...

详细分析 ▾

ℹ 用途与能力

The scripts' network calls to a central issue-management API (https://skills.mediportal.com.cn) are coherent with the skill's stated purpose of reporting and listing issues. However the SKILL metadata declares no required env vars or credentials while the code reads token environment variables for auth; that omission is inconsistent and surprising.

⚠ 指令范围

SKILL.md and scripts instruct the agent/user to run included Python scripts which will POST data to a remote API and optionally update issue status. The instructions reference 'cms-auth-skills' to prepare an access-token, but the skill does not declare or require any env vars — the scripts nonetheless read XG_USER_TOKEN / access-token / ACCESS_TOKEN. The scripts also accept stdin and can include arbitrary error output in reports, meaning potentially sensitive logs could be sent to the external endpoint.

ℹ 安装机制

No install spec (instruction-only) which minimizes install-time risks. However the bundle includes Python scripts that assume a Python 3 runtime is present and will be executed; SKILL metadata does not list required binaries (python3), which is an inconsistency but not an intrinsic supply-chain risk.

⚠ 凭证需求

The code reads environment variables named XG_USER_TOKEN / access-token / ACCESS_TOKEN and will include them as an 'access-token' HTTP header when present. The skill metadata did not declare these required/optional env vars. Requesting or using access tokens is reasonable for updating issues, but the lack of declaration and the scripts' ability to upload arbitrary stdin/logs creates an exfiltration risk if sensitive data or unrelated tokens are present in the environment.

✓ 持久化与权限

The skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.22026/4/7

NULL

● 可疑

安装命令

点击复制

官方npx clawhub@latest install cms-report-issue

镜像加速npx clawhub@latest install cms-report-issue --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库