利润优化引擎
AdvisoryAudited by Static analysis on May 2, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with real orders, an agent or user could mark an order as paid in the local records even if the payment was not actually verified.
The script can mutate saved local order state by marking an order as paid. This is aligned with order management, but it affects local business records.
elif "--confirm" in args: ... found['status'] = 'paid' ... mgr._save(found)
Use --confirm only after independently verifying the order ID and payment status; treat the records as local bookkeeping unless connected to a real payment workflow.
Order and financial details entered into the tool can remain on disk and influence future reports.
The skill stores order names, prices, costs, status, and timestamps as persistent local JSON files and later reloads them for reports.
DATA_DIR = os.path.expanduser("~/.openclaw/workspace/state/orders") ... json.dump(order, f, indent=2)Avoid entering sensitive real customer data unless local storage is acceptable, and delete or protect the state directory when records are no longer needed.