📦 ITSM 工单自动提交 — 自动提交ITSM工单
v2.1.0利用系统内置 Chromium 与 Selenium,自动登录 ITSM 系统并提交头程、尾程询价、批次查询及问题反馈类工单,全程无需人工干预,提升运维响应速度。
0· 172·0 当前·0 累计
by 下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to implement the advertised automation but performs system-level operations and contains some inconsistencies you should review before installing. Recommendations:
- Inspect submit-itsm.py fully to confirm whether it reads environment variables or uploads arbitrary files. Search for os.environ usage and any code that posts data to endpoints other than the ITSM host.
- Do not run start.sh as root indiscriminately. The script may call sudo apt-get and pip; prefer running in a d...详细分析 ▾
ℹ 用途与能力
The name/description (automatically submit ITSM tickets via Chromium + Selenium) aligns with the shipped scripts (start.sh, submit-itsm.py, close.sh). However SKILL.md advertises environment variables (ITSM_USERNAME, ITSM_PASSWORD, etc.) and default credentials, while the registry metadata lists no required env vars. The code uses Chromium + Selenium as claimed, so capability matches purpose, but the undocumented/default credentials and env-var mismatch are inconsistent.
⚠ 指令范围
Runtime instructions and scripts perform system-level operations: installing Python packages (pip install), optionally downloading get-pip.py from the network, apt-get installing chromium-browser with sudo, launching Chromium with a remote-debugging port, and reading/using local file paths for attachments (including converting Windows paths to WSL paths). These actions go beyond a pure API wrapper and may access local files and expose a CDP port that other local processes could reach. The SKILL.md also suggests providing secrets via environment variables, but the manifest does not declare them.
ℹ 安装机制
There is no formal install spec in the registry (instruction-only). The scripts self-install dependencies at runtime: pip installs (selenium, requests), may fetch get-pip.py from https://bootstrap.pypa.io, and may apt-get install chromium-browser. The external URLs used are standard (PyPA, apt repos) rather than unknown shorteners or personal servers. Still, runtime downloads and automatic package installation are moderate-risk behaviors and may alter the host environment.
⚠ 凭证需求
SKILL.md lists environment variables for credentials and data, but the registry declares none — a mismatch that should be surfaced to users. The code embeds default username/password values (500525 / Xy@123456) which could lead to accidental use of insecure defaults. The skill can access arbitrary local files (attachmentPath) and will attempt to convert Windows paths to WSL paths, implying access to user files outside the skill directory.
✓ 持久化与权限
The skill is not flagged as always:true and does not request system-wide configuration changes in the manifest. It does start Chromium with remote-debugging enabled while running; this is transient to its operation and not recorded as persistent system modification by the manifest. No evidence the skill modifies other skills' configurations.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.1.02026/3/18
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install itsm-skill
镜像加速npx clawhub@latest install itsm-skill --registry https://cn.longxiaskill.com