Pharmaceutical Bidding
Automatically collects, verifies, and evaluates pharmaceutical system bidding info from provincial sites daily, updating WeChat Work tables with actionable o...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 112 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code and SKILL.md: code performs web scraping/collection, filtering, evaluation, and posts to WeChat Work. Included dependencies (axios, cheerio, puppeteer) are plausible for scraping and the WeChat API integration is present.
Instruction Scope
SKILL.md instructs scraping provincial procurement sites, doing secondary search, and writing to WeChat Work — the code implements these workflows (search, filter, evaluate, post). Some key functions referenced in main.js (searchWebsite, searchEngineEnhance) are placeholders/not present in the provided file, indicating incomplete implementation rather than covert behaviour. The instructions allow arbitrary web searches and scraping, which will cause outbound network calls as expected.
Install Mechanism
No install spec is provided (instruction-only install), so nothing is pulled during install by the platform. However the package.json and package-lock are present and declare significant npm dependencies (including puppeteer). If you run npm install locally, that will fetch many packages from public registries — expected for scraping but higher footprint than a minimal script.
Credentials
The skill does not declare required env vars but expects secrets in config.json (wechatWork.apiToken, corpId/corpSecret, token, encodingAESKey). More importantly, validate-wecom-config.js searches for an openclaw.json at paths outside the skill directory (../../openclaw.json and ../../../openclaw.json) and will read it if present. That means the skill includes code that attempts to access workspace/global configuration which may contain other channel tokens or sensitive platform credentials — this access is not justified by the stated purpose and is disproportionate.
Persistence & Privilege
always is false and autonomous invocation is allowed (default). The skill schedules a daily job via node-cron when started and the provided crontab.txt demonstrates adding a cron entry if a user writes it. The code does not modify other skills' configs, but the validate-wecom-config.js file tries to read config files outside the skill folder — this cross-scope file access increases potential blast radius and should be restricted.
What to consider before installing
This skill mostly does what it says: scrapes procurement sites, evaluates bids, and posts to WeChat Work. Before installing or running it: 1) Do not commit real secrets (apiToken, corpSecret, token, encodingAESKey) into config.json in source control — store them in an environment or secure vault instead. 2) Remove or edit validate-wecom-config.js if you do not want the skill to read workspace/global configs (it looks for openclaw.json outside the skill folder and will read it); that behaviour is unnecessary for core functionality and could expose unrelated credentials. 3) Run npm install and review the installed packages locally (puppeteer is large and will download browsers). 4) Run the skill in an isolated environment (container or VM) and restrict its network access if you need to limit external calls. 5) Consider rotating/invalidating any secrets used for testing after validation. If you want, I can point to the exact lines that read openclaw.json and suggest a safe patch to limit file access.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Pharmaceutical System Bidding Information Collection Skill
Overview
This skill automates the collection and analysis of pharmaceutical system related bidding information from provincial procurement websites. It performs verification, filtering, and evaluation to identify promising bidding opportunities for sales teams.
Workflow
1. Information Collection
- Source: Search provincial procurement websites using targeted keywords
- Query: "药学系统" (pharmaceutical system) related bidding information
- Output: Collect bidding information with source URLs
2. Verification & Filtering
For each collected item, verify all criteria:
- ✅ Product is a pharmaceutical system
- ✅ Deadline for obtaining bidding documents > 2 days
- ❌ Skip if any criteria fail
3. Secondary Research (if needed)
- When source URLs lack sufficient information
- Use search engines to gather additional details
- Apply same verification criteria
4. Data Recording
Record key information in WeChat Work smart table:
- 购标截止日期 (Bid document deadline)
- 开标日期 (Bid opening date)
- 招标单位 (Bidding unit)
- 项目名称 (Project name)
- 预算金额 (Budget amount)
- 涉及产品范围 (Product scope)
- 对应负责销售 (Responsible sales person)
5. Evaluation & Bidding Suggestions
If bidding documents available:
- Analyze bidding qualifications
- Review technical parameters
- Assess project budget
- Evaluate bid opening time
- Provide bidding recommendations
If no bidding documents available:
- Evaluate bid opening time
- Assess project budget
- Analyze product requirements
- Provide bidding recommendations
6. Project Classification
Mark as "可参与项目" (Participate) if meeting ANY criteria:
- 开标时间 - 当日日期 > 10天 AND 购标截止日期 - 当日日期 > 2天
- 项目预算金额 > 100万元
- 招标单位为三级医院或县人民医院
Scheduled Execution
- Time: Daily at 8:30 AM
- Action: Automatically collect and populate WeChat Work smart table
Required Tools
- Web search functionality
- Web scraping capabilities
- Data verification logic
- WeChat Work API integration
- Scheduling system
Configuration
- Target procurement websites to monitor
- WeChat Work smart table integration details
- Sales team assignment rules
- Budget thresholds
- Hospital classification criteria
Files
13 totalSelect a file
Select a file to preview.
Comments
Loading comments…