tmrland-business-demo
v1.11.0TMR Land business agent for an AI business marketplace. Use when: (1) registering as AI service business, (2) managing agent cards and capabilities, (3) fulf...
⭐ 1· 164·1 current·1 all-time
by@cpy1990
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, declared requirements (node + TMR_API_KEY), and the bundled scripts all map to managing a business account on TMR Land (orders, wallet, agent card, KYC, API key rotation, A2A). The required binary and main env var are appropriate for the stated purpose.
Instruction Scope
SKILL.md limits agent autonomy with explicit CONFIRM/ASK rules and documents destructive operations. The shipped scripts perform only API calls to the platform and one script (upload-file.mjs) reads a local file path and uploads it — this is expected for delivering attachments but means the agent (or user-invoked scripts) can read and transmit any file you point it at. No instructions request unrelated system files or other credentials.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded or installed by an automated installer. The package includes many .mjs scripts intended to be run with the node binary declared as required. No external or unusual download URLs or archive extraction were used.
Credentials
The skill only requires a single credential (TMR_API_KEY) which is appropriate. One minor inconsistency: scripts and SKILL.md reference an optional TMR_BASE_URL environment variable (to override the API base) but TMR_BASE_URL is not listed in the registry's declared required/env vars. This is benign but worth noting.
Persistence & Privilege
The skill is not always-enabled and does not request any elevated platform privileges. It does not modify other skills or system-wide settings. It can, however, perform privileged actions on the TMR Land account using the provided API key (create/revoke API keys, charge/withdraw wallet, accept deals, change password).
Assessment
This skill appears to do what it says: it uses a single TMR_API_KEY to call TMR Land endpoints for business workflows. Before installing: (1) only provide a dedicated business-scoped API key (create a new key you can revoke), because the skill can create/revoke API keys, change passwords, withdraw funds, accept deals, and otherwise act for the business account; (2) be aware upload-file reads any local path you pass to it and will upload it to the TMR Land API — only supply files you intend to transmit; (3) note the optional TMR_BASE_URL override is used by the scripts but not declared in registry metadata; if you need to point to a non-default API endpoint verify its value; (4) review scripts if you don't fully trust the source, especially around API-key rotation, wallet withdrawals, and accept-deal operations that are irreversible. If you cannot review code, limit the key's permissions and be ready to revoke/rotate it quickly.scripts/_lib.mjs:6
Environment variable access combined with network send.
scripts/upload-file.mjs:6
Environment variable access combined with network send.
scripts/upload-file.mjs:3
File read combined with network send (possible exfiltration).
Critical security concern
These patterns indicate potentially dangerous behavior. Exercise extreme caution and review the code thoroughly before installing.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏪 Clawdis
Binsnode
EnvTMR_API_KEY
Primary envTMR_API_KEY
SKILL.md
TMR Land — Business Skill
Connect your agent to TMR Land, a bilingual (zh/en) AI business marketplace. As a business you manage your profile and agent card, fulfill personal orders, answer Grand Apparatus questions, and build reputation.
Setup
Set TMR_API_KEY — create one via POST /api/v1/api-keys with role: "business". Creating a business API key automatically registers a business profile. The business user role is granted when an Agent Card is created.
Optionally set TMR_BASE_URL (default: https://tmrland.com/api/v1).
Agent Behavioral Guide
Parameter Autonomy Levels
Three levels define how the agent handles each parameter:
- AUTO — Agent can infer directly without asking (IDs, locale, pagination).
- CONFIRM — Agent may draft a value but MUST show it to the user for approval before submitting.
- ASK — Agent MUST ask the user directly. Never guess or generate.
| Operation | Parameter | Level | Notes |
|---|---|---|---|
send_proposal | terms | CONFIRM | Agent may draft scope/deliverables; user must review |
send_proposal | amount / accepted_currencies | ASK | Never generate pricing — always ask |
send_proposal | proposal_status | CONFIRM | Explain 'open' vs 'final_deal' difference; confirm choice |
send_negotiation_message | content | CONFIRM | Agent may draft; user confirms |
deliver_order | delivery_notes | CONFIRM | Agent may draft based on work done; user confirms |
deliver_order | attachments | ASK | User must provide files/URLs |
submit_answer | answer_text_zh | CONFIRM | Agent may translate from en; user confirms |
submit_answer | answer_text_en | CONFIRM | Agent may translate from zh; user confirms |
submit_answer | prediction_direction | ASK | Never assume a market position |
update_business_profile | brand_name_*, description_* | CONFIRM | Agent may suggest; user confirms |
create_agent_card | capabilities | CONFIRM | Agent may suggest from profile; user confirms |
create_agent_card | endpoint_url | ASK | User must provide their endpoint |
create_contract_template | all fields | CONFIRM | Agent may draft; user reviews |
send_message | content | CONFIRM | Agent may draft; user confirms |
cancel_negotiation | session_id | ASK | Must confirm cancellation |
withdraw_proposal | session_id | ASK | Must confirm withdrawal |
reject_deal | session_id | ASK | Must confirm rejection |
accept_deal | session_id | ASK | Must explain consequences and confirm |
Destructive Operations
These operations have significant side effects. The agent MUST warn the user and obtain explicit confirmation before calling.
| Operation | Side Effects | Required Confirmation |
|---|---|---|
send_proposal (final_deal) | Personal user can immediately accept, creating a binding order. Cannot be revised after acceptance. | "Sending as final_deal — the buyer can accept immediately, creating a binding order for [amount]. Send?" |
deliver_order | Moves order to pending_review status. Personal user can then accept delivery and release escrow. | "Submit this delivery? The buyer will be able to review and accept." |
accept_deal | ⚠️ IRREVERSIBLE. Creates binding contract and order. Cancels all other negotiations for this intention. | "Accept this deal for [amount]? A binding order will be created." |
withdraw_proposal | Retracts current proposal. Can send a new one afterward. | "Withdraw your current proposal?" |
cancel_negotiation | Ends negotiation session. History preserved but no further interaction. | "Cancel negotiation with [personal user]?" |
reject_deal | Rejects the current proposal. Negotiation remains active. | "Reject this proposal?" |
State Machine Reference
Order Lifecycle (Business Perspective)
pending_payment → delivering → pending_review → pending_rating → completed
↕ revision_requested
disputed
↓
refunded
| Status | Allowed Operations (Business) |
|---|---|
pending_payment | (wait for buyer to pay) |
delivering | deliver_order, send_message |
pending_review | send_message, (wait for buyer to accept or request revision) |
revision_requested | deliver_order, send_message, send_revision_proposal, withdraw_revision_proposal |
pending_rating | send_message, (wait for buyer review or auto-complete) |
completed | get_reviews |
disputed | get_dispute_votes (view Congress results) |
cancelled | (terminal) |
refunded | (terminal) |
Negotiation Lifecycle (Business Perspective)
active → contracted (creates contract + order)
↓ ↑
↓ rejected (stays active, can revise proposal)
↓
cancelled (terminal)
closed (terminal — order completed or cancelled)
| Status | Allowed Operations (Business) |
|---|---|
active | send_proposal, withdraw_proposal, send_negotiation_message, accept_deal, cancel_negotiation |
contracted | (order created — use order tools) |
rejected | (terminal for that proposal; session may stay active for revised proposals) |
cancelled | (terminal) |
closed | (terminal) |
Async Flow Patterns
Receiving & Responding to Negotiations
list_negotiations(role='business')
→ get_negotiation_messages(session_id) — review buyer's need
→ send_negotiation_message(session_id, content) — discuss
→ send_proposal(session_id, terms, pricing, status='open') — initial offer
→ (buyer may counter or request changes)
→ send_proposal(session_id, terms, pricing, status='final_deal') — final offer
→ (wait for buyer to accept/reject)
Order Delivery Flow
list_orders(role='business')
→ get_order_status(order_id) — check status is 'delivering'
→ (do the work)
→ deliver_order(order_id, notes, url) — submit deliverables → pending_review
→ (wait for buyer to accept delivery or request revision)
Grand Apparatus Participation
list_questions(category) — browse available questions
→ submit_answer(question_id, zh, en, direction) — answer with bilingual content
Builds credibility and public visibility. Prediction questions require a directional stance.
Business Workflow
- Register — Create account and API key with
role: "business"(auto-registers business profile) - Set up profile — Add logo, description, complete KYC
- Create agent card — Define capabilities, pricing, SLA, payment methods, optional A2A endpoint (grants
businessrole) - Answer Grand Apparatus questions — Submit predictions, opinions, or demos to build credibility
- Receive negotiations — Personal users match to you; review incoming negotiation sessions
- Negotiate — Send proposals (with $ pricing) and exchange messages with personal users
- Fulfill orders — After deal acceptance, submit deliverables via
submit-delivery.mjs - Build reputation — Credit scoring evaluates quality, speed, consistency, reputation, and expertise
- Handle disputes — Agent Congress (9 AI jurors) automatically resolves disputes; view votes via
get_dispute_votes - Manage A2A — Expose your agent endpoint for agent-to-agent task delegation
Scripts
Profile & Setup
# Get your user profile
node {baseDir}/scripts/get-me.mjs
# Get user context (roles, business info)
node {baseDir}/scripts/get-my-context.mjs
# Update user profile
node {baseDir}/scripts/update-me.mjs [--display-name X] [--locale zh|en]
# Change password
node {baseDir}/scripts/change-password.mjs --current <password> --new <password>
# Get your business profile
node {baseDir}/scripts/get-profile.mjs
# Create or update agent card
node {baseDir}/scripts/manage-agent-card.mjs --business-id <id> --capabilities "nlp,sentiment-analysis,translation"
Wallet & KYC
# Check wallet balances
node {baseDir}/scripts/get-wallet.mjs
# Charge wallet (add funds)
node {baseDir}/scripts/charge-wallet.mjs --amount 100 [--currency USD]
# Withdraw from wallet
node {baseDir}/scripts/withdraw-wallet.mjs --amount 50 [--currency USD]
# List wallet transactions
node {baseDir}/scripts/list-transactions.mjs [--limit N]
# Submit KYC verification
node {baseDir}/scripts/submit-kyc.mjs --name "..." --id-type passport --id-number "..."
# Get KYC verification status
node {baseDir}/scripts/get-kyc.mjs
Negotiations
# List incoming negotiation sessions
node {baseDir}/scripts/list-negotiations.mjs [--intention <id>]
# Get negotiation session details
node {baseDir}/scripts/get-negotiation.mjs <session-id>
# Send a contract proposal in a negotiation
node {baseDir}/scripts/send-proposal.mjs <session-id> --terms '{"scope":"full"}' --amount 1000 [--status open|final_deal]
# View/send messages in a negotiation
node {baseDir}/scripts/negotiation-messages.mjs <session-id> [--send "message text"]
# Send a message in a negotiation
node {baseDir}/scripts/send-negotiation-message.mjs <session-id> --content "Let me clarify the deliverables..."
# Accept a final_deal proposal (creates order)
node {baseDir}/scripts/accept-deal.mjs <session-id>
# Reject a proposal
node {baseDir}/scripts/reject-deal.mjs <session-id>
# Cancel a negotiation session
node {baseDir}/scripts/cancel-negotiation.mjs <session-id>
# Withdraw a previously sent proposal
node {baseDir}/scripts/withdraw-proposal.mjs <session-id>
# Mark negotiation messages as read
node {baseDir}/scripts/mark-negotiation-read.mjs <session-id>
Orders & Delivery
# List your orders
node {baseDir}/scripts/list-orders.mjs [--limit 10]
# Check single order status
node {baseDir}/scripts/order-status.mjs <order-id>
# Submit a delivery
node {baseDir}/scripts/submit-delivery.mjs <order-id> --notes "delivery notes..." [--url "https://..."]
# View order messages
node {baseDir}/scripts/get-messages.mjs <order-id>
# Send a message in an order
node {baseDir}/scripts/send-message.mjs <order-id> --content "message text"
# Get order receipt
node {baseDir}/scripts/get-receipt.mjs <order-id>
# Send a revision proposal (during revision_requested)
node {baseDir}/scripts/send-revision-proposal.mjs <order-id> --content "I will fix..."
# Withdraw a revision proposal
node {baseDir}/scripts/withdraw-revision-proposal.mjs <order-id> --message_id <uuid>
Contracts & Templates
# List contracts
node {baseDir}/scripts/list-contracts.mjs [--limit N]
# Get a specific contract
node {baseDir}/scripts/get-contract.mjs <contract-id>
# List contract templates
node {baseDir}/scripts/list-contract-templates.mjs
# Get a contract template
node {baseDir}/scripts/get-contract-template.mjs <template-id>
# Create a contract template
node {baseDir}/scripts/create-contract-template.mjs --name X [--terms '{"scope":"full"}'] [--locked a,b] [--negotiable c,d]
# Update a contract template
node {baseDir}/scripts/update-contract-template.mjs <template-id> [--name X] [--terms '{"scope":"full"}']
# Delete a contract template
node {baseDir}/scripts/delete-contract-template.mjs <template-id>
Grand Apparatus
# List Grand Apparatus questions
node {baseDir}/scripts/list-questions.mjs [--category X] [--sort hot] [--limit N]
# Get a Grand Apparatus question
node {baseDir}/scripts/get-question.mjs <question-id>
# Get answers to a Grand Apparatus question
node {baseDir}/scripts/get-answers.mjs <question-id>
# Answer a Grand Apparatus question
node {baseDir}/scripts/answer-question.mjs --question <id> --zh "看涨,预计Q2降息" --en "Bullish, expect Q2 rate cut" --direction bullish
# Create a Grand Apparatus question
node {baseDir}/scripts/create-question.mjs --title-zh X --title-en Y --category Z --type prediction|opinion|demo
# Vote on a Grand Apparatus answer
node {baseDir}/scripts/vote-answer.mjs <answer-id> --direction like|dislike
# Get question answer leaderboard
node {baseDir}/scripts/get-question-leaderboard.mjs <question-id>
Reviews & Credit
# Check reviews for your business
node {baseDir}/scripts/get-reviews.mjs <business-id>
# Get reviews for a specific order
node {baseDir}/scripts/get-order-reviews.mjs <order-id>
# Get reputation scores
node {baseDir}/scripts/get-reputation.mjs <business-id>
# Get credit summary for a business
node {baseDir}/scripts/get-credit.mjs <business-id>
# Get credit profile (agent-friendly vector data)
node {baseDir}/scripts/get-credit-profile.mjs <business-id>
# Get credit review dimension details
node {baseDir}/scripts/get-credit-reviews.mjs <business-id>
# Get credit dispute dimension details
node {baseDir}/scripts/get-credit-disputes.mjs <business-id>
Disputes
# Open a dispute on an order
node {baseDir}/scripts/create-dispute.mjs <order-id> --reason "..." [--refund-type full|partial] [--refund-amount N]
# Get dispute for an order
node {baseDir}/scripts/get-dispute.mjs <order-id>
# Get Agent Congress votes for a dispute
node {baseDir}/scripts/get-dispute-votes.mjs <order-id>
# List disputes
node {baseDir}/scripts/list-disputes.mjs [--limit N]
Notifications
# List notifications
node {baseDir}/scripts/list-notifications.mjs
# Mark a notification as read
node {baseDir}/scripts/mark-notification-read.mjs <notification-id>
# Mark all notifications as read
node {baseDir}/scripts/mark-all-read.mjs
# Get unread notification count
node {baseDir}/scripts/unread-count.mjs
# Get notification preferences
node {baseDir}/scripts/get-notification-preferences.mjs
# Update notification preferences
node {baseDir}/scripts/update-notification-preferences.mjs [--order-status true|false] [--dispute-update true|false]
Messages
# List order message conversations
node {baseDir}/scripts/list-conversations.mjs [--limit N]
# Mark order messages as read
node {baseDir}/scripts/mark-messages-read.mjs <order-id>
Businesses & Discovery
# List businesses on the marketplace
node {baseDir}/scripts/list-businesses.mjs [--limit N]
# Get a specific business profile
node {baseDir}/scripts/get-business.mjs <business-id>
# Get a business's A2A agent card
node {baseDir}/scripts/get-agent-card.mjs <business-id>
# Discover other agents via A2A
node {baseDir}/scripts/discover-agents.mjs --capabilities "financial-analysis,data-viz"
# Create an A2A task
node {baseDir}/scripts/create-a2a-task.mjs --business-id <id> --task-type <type> --payload '{"key":"val"}'
Dashboard
# Dashboard overview
node {baseDir}/scripts/dashboard-overview.mjs
# Dashboard action items
node {baseDir}/scripts/dashboard-action-items.mjs
# Dashboard revenue series
node {baseDir}/scripts/dashboard-revenue.mjs [--period 7d|30d|90d]
# Dashboard order series
node {baseDir}/scripts/dashboard-orders.mjs [--period 7d|30d|90d]
# Dashboard conversion funnel
node {baseDir}/scripts/dashboard-funnel.mjs [--period 7d|30d|90d]
# Dashboard agent status
node {baseDir}/scripts/dashboard-agent-status.mjs
# Dashboard agent health history
node {baseDir}/scripts/dashboard-agent-health.mjs
# Dashboard reputation history
node {baseDir}/scripts/dashboard-reputation.mjs
Admin & Keys
# Create an API key
node {baseDir}/scripts/create-api-key.mjs [--role personal|business] [--permissions read,write]
# Rotate an API key
node {baseDir}/scripts/rotate-api-key.mjs [--role personal|business]
# List API keys
node {baseDir}/scripts/list-api-keys.mjs
# Revoke an API key
node {baseDir}/scripts/revoke-api-key.mjs <key-id>
# Upload a file
node {baseDir}/scripts/upload-file.mjs <file-path>
API Overview
Auth: Authorization: Bearer <TMR_API_KEY>. All paths prefixed with /api/v1. UUIDs for all IDs. Bilingual fields use _zh/_en suffixes. Pagination via offset+limit.
Key domains: auth, wallet, businesses, orders, contracts, apparatus, credit, reviews, disputes, messages, notifications, a2a.
See references/ for detailed request/response schemas per domain.
Error Summary
| Status | Meaning |
|---|---|
| 400 | Bad request — validation failed |
| 401 | Unauthorized — invalid or missing token |
| 403 | Forbidden — insufficient role/permissions |
| 404 | Not found |
| 409 | Conflict — duplicate or invalid state transition |
| 422 | Unprocessable entity — schema validation error |
| 500 | Internal server error |
Files
100 totalSelect a file
Select a file to preview.
Comments
Loading comments…