Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
门店销售业绩分析
v1.0.0门店销售业绩环比分析工具。支持门店/导购业绩同比分析(本期 vs 上期),识别业绩波动原因,量化归因,输出诊断结论和改进建议。 使用场景: 1. 门店整体业绩分析(销售额、订单数、客单价、连带率) 2. 导购个人业绩分析(排名、业绩占比、能力雷达图) 3. 多门店/多导购对比分析 4. 业绩波动归因(订单贡献 v...
⭐ 0· 89·1 current·1 all-time
byXtechmerge.AI@gwyang7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, SKILL.md and analyze.py all describe sales performance analysis and the code implements that logic. Requesting data via an API client (get_copilot_data) is consistent with the stated purpose. However, the implementation requires a local api_client module found under a user-specific path rather than declaring explicit credentials or a network host, which is an implementation detail that should have been documented as part of required configuration.
Instruction Scope
SKILL.md and the code both instruct the agent to fetch /api/v1/store/dashboard/bi data and then parse/attribute metrics — that stays within the stated analysis scope. The concern: analyze.py modifies sys.path to import a local module from an absolute home directory (/Users/yangguangwei/.openclaw/workspace-front-door) and the SKILL.md references ~/.openclaw/workspace-front-door/. This means the skill will load and execute local code (api_client) and rely on whatever auth/logic that module contains; the SKILL.md does not describe what that local module will do or what credentials it will use.
Install Mechanism
There is no install spec and the skill is instruction+code only (no external downloads). That minimizes install-time risk. The code is included in the bundle, so nothing will be fetched on install by the skill itself.
Credentials
The skill declares no required environment variables or primary credentials, yet it depends on a local api_client which likely performs authenticated requests. This makes credential usage implicit: the api_client may read local config, tokens or environment variables not declared in the skill. Also the code hardcodes an absolute home path (/Users/yangguangwei/...), exposing a developer username and creating a discrepancy with the SKILL.md's tilde-based path; that is disproportionate and could lead to access to other files under that workspace.
Persistence & Privilege
always is false and there is no indication the skill modifies system-wide agent settings or other skills. The skill does not request persistent installation privileges in the provided metadata.
What to consider before installing
Before installing or running this skill, do the following: 1) Inspect the api_client module referenced at ~/.openclaw/workspace-front-door (and the absolute path /Users/yangguangwei/...) to see what network calls it makes, which hosts it contacts, and what credentials or files it reads; 2) Confirm where get_copilot_data sends requests (base URL) and whether it will use any local tokens or system credentials—if it contacts internal BI endpoints, ensure that's intended; 3) Remove or fix the hardcoded absolute path in analyze.py (it reveals a username and may break on other systems); 4) Run the skill in a restricted/sandboxed environment first, and avoid running with elevated privileges; 5) If you cannot inspect the local api_client, do not grant this skill access to environments containing sensitive tokens or credentials. These steps will reduce the risk of accidental credential exposure or unexpected data exfiltration.Like a lobster shell, security has layers — review code before you run it.
latestvk97706yac65rxb7xpxcfv67kqd83mf58
License
MIT-0
Free to use, modify, and redistribute. No attribution required.