ClawHub
Back to skill
v1.0.0

陈列货盘分析

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:23 AM.

Analysis

The skill mostly matches its retail analysis purpose, but it imports an undeclared helper from a hardcoded developer-local path, so users should review it before installing.

GuidanceReview or fix the hardcoded api_client import before installing. If you proceed, confirm that the API client is trusted, packaged or declared properly, and that the skill is only used with stores whose BI data you intend it to read.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
analyze.py
sys.path.insert(0, '/Users/yangguangwei/.openclaw/workspace-front-door')
from api_client import get_copilot_data

The skill loads api_client from a hardcoded absolute path outside the provided files, while the manifest only includes SKILL.md and analyze.py. That helper is not reviewable in the supplied artifacts.

User impactInstalling or invoking the skill may fail on most machines, or if that path exists, may execute unreviewed local code before performing the analysis.
RecommendationPackage the API client with the skill, use a relative import or declared dependency, and document any required configuration or credentials instead of relying on a developer-local path.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
analyze.py
data = get_copilot_data(f'/api/v1/store/dashboard/bi?storeId={store_id}&fromDate={from_date}&toDate={to_date}')

The skill retrieves store dashboard BI data for a supplied store and date range. This is aligned with the stated analysis purpose, but it still involves business/customer funnel data through the user's account context.

User impactThe skill can access and print store performance and customer-funnel metrics for the requested store.
RecommendationUse it only with store IDs and accounts where this BI data access is intended, and ensure the API client uses appropriately scoped read-only authorization.