ClawHub
Back to skill
v1.0.0

导购个人业绩分析

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:24 AM.

Analysis

The skill fits its retail analytics purpose, but it loads an undeclared local API client from a hard-coded personal path while accessing store, employee, and customer-performance data.

GuidanceBefore installing, verify the source and behavior of the referenced api_client, replace or remove the hard-coded personal path, and confirm that only authorized users can query the relevant store, guide, POS, member, and AIoT customer data.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
analyze.py
sys.path.insert(0, '/Users/yangguangwei/.openclaw/workspace-front-door')
from api_client import get_api_client

The skill imports a runtime API client from a hard-coded local path outside the provided skill manifest, so important code that controls API access is not part of the reviewed package.

User impactWhen invoked, the skill may rely on unreviewed local code to make network/API calls and handle whatever account access that API client provides.
RecommendationPackage or declare the API client dependency, avoid hard-coded personal paths, and document the required configuration and credential boundary before installation.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
analyze.py
client = get_api_client()
response = client.call_api('copilot', '/api/v1/guide/customer-funnel', params=params)

The skill uses a local API client to retrieve guide and AIoT customer-funnel data from Copilot APIs, which is purpose-aligned but depends on the user's available service privileges.

User impactA user with access can retrieve detailed store, employee performance, order, member-structure, and customer-funnel information for supplied store and guide parameters.
RecommendationInstall and use this only for users authorized to view the relevant store and employee data, and ensure the underlying API account is least-privileged.