Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
客户清单分析
v1.0.0客户清单分析工具。基于Shop API客户清单数据,快速查询不同类型客户的数量、试用情况汇总、导购匹配情况。 核心能力: 1. 客户类型分布统计(普通/潜在/意向/成交客户数量及占比) 2. 客户试用情况汇总(感兴趣商品数、试用商品数、试用后成交转化) 3. 导购匹配分析(各导购关联客户数、匹配失败数量及原因)...
⭐ 0· 71·1 current·1 all-time
byXtechmerge.AI@gwyang7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill implements customer-list analysis functions that align with the description (type distribution, trial summary, clerk matching). However the code depends on an external api_client.get_shop_data and a local workspace path (~/.openclaw/workspace-front-door). Requiring a local API client is plausible for this purpose, but the bundled SKILL.md and code reference a specific absolute user path (/Users/yangguangwei/.openclaw/workspace-front-door) which is unusual and brittle for a reusable skill.
Instruction Scope
SKILL.md instructs calls to POST /api/v1/customer/list via api_client.get_shop_data only (expected). The implementation inserts an absolute filesystem path into sys.path and imports api_client from a user-specific directory; that causes the skill to load code from the host filesystem (outside the skill bundle). This expands scope beyond the documented API call because it will execute whatever api_client is present at that path.
Install Mechanism
No install spec or external downloads; the skill is packaged with Python code only. This avoids remote code fetch during install, but the runtime import of a local module still causes execution of external code at runtime.
Credentials
The skill declares no required env vars or credentials, yet it relies on an external api_client whose authentication behavior is unspecified. That client (loaded from a local path) may read credentials or config from the host (files, environment), so the skill's declared requirements understate its potential access to secrets/configuration.
Persistence & Privilege
always is false and the skill does not request persistent system-level privileges or modify other skills. It prints and returns analysis results only.
What to consider before installing
This skill largely does what its description says, but it imports a Shop API client from a local path (sys.path.insert('/Users/yangguangwei/.openclaw/workspace-front-door')). Before installing or running it: 1) Inspect the api_client implementation in that local workspace to confirm how it authenticates and whether it will read any local secrets or config files. 2) Note the code uses an absolute user-specific path that may not exist or may point to another user's files—this is brittle and could cause unexpected imports. 3) Run the skill in an isolated/test environment (or replace the import with a controlled client) if you cannot verify the api_client. 4) If you expect this skill to be portable, request the author remove hard-coded user paths and document how API credentials are provided. Because the skill can execute code from your filesystem that isn't included in the package, proceed with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk976wkpa3x1gxvwx6mpd5kqcs583najz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.