ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

历史基线分析

v1.0.0

门店历史基线分析工具。基于Agent API数据库视图,提供多周期基线+四分位分析。 核心能力: 1. 多周期基线(13周/季度、26周/半年、52周/全年、12个月) 2. 多维度分组(按星期几分组、自然周、自然月) 3. 四分位分析(P25/P50/P75,识别异常区间) 4. 基线类型(weekday按星期...

0· 94·0 current·0 all-time
byXtechmerge.AI@gwyang7

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for gwyang7/retail-store-poscore-baseline-analysis.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "历史基线分析" (gwyang7/retail-store-poscore-baseline-analysis) from ClawHub.
Skill page: https://clawhub.ai/gwyang7/retail-store-poscore-baseline-analysis
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install retail-store-poscore-baseline-analysis

ClawHub CLI

Package manager switcher

npx clawhub@latest install retail-store-poscore-baseline-analysis
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (store baseline analysis) match the code's functionality (fetch historical data, compute quartiles, compare current vs baseline). The dependency on an Agent API query_database function is reasonable for a DB-backed analysis tool. However, the code also modifies sys.path to a user-specific absolute path (/Users/yangguangwei/.openclaw/workspace-front-door) to import api_client, which is unusual for a distributable skill and not justified in SKILL.md.
Instruction Scope
SKILL.md describes only analysis and shows a simple Python API. The actual runtime code issues SQL queries (via query_database) built with f-strings, parses results, and returns baselines. That's within expected scope, but the SQL is constructed with unsanitized interpolation of store_id and dates (typical but worth noting). The skill reads nothing else from the system in the provided code, but it depends on an external api_client (see purpose_capability).
Install Mechanism
No install spec (instruction-only / code bundled). Nothing is downloaded or written by an installer. This is the lower-risk arrangement for skill installation.
!
Credentials
The skill declares no required environment variables or credentials, which superficially limits exposure. However, it forcibly adds a hard-coded absolute path to sys.path and imports api_client from outside the skill package; that external module could access credentials or agent internals at runtime. The lack of declared dependency / explanation for api_client is disproportionate and obscures what privileges the skill will use.
Persistence & Privilege
always is false and the skill does not request persistent/always-on privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other elevated flags.
What to consider before installing
This skill appears to implement the baseline analysis it advertises, but there are red flags you should address before installing or running it in production: - The code inserts a hard-coded absolute path (/Users/yangguangwei/...) into sys.path and imports api_client from there. Ask the publisher why this external module is required and request that api_client be bundled, replaced with a documented dependency, or imported via a relative path. Running the skill as-is could cause it to execute code outside the skill bundle if that path exists in your environment. - query_database is called but not defined in the skill; confirm what api_client.query_database does, what credentials it uses, and whether it can access more data than intended. Prefer explicit, documented dependencies or an SDK instead of implicit imports. - The SQL strings are built via f-strings with interpolated store_id/dates. If you or callers can pass untrusted input into store_id, this could produce unexpected SQL. Validate or sanitize inputs if you accept external values. - Some data-fetching functions (weekly/monthly) appear unimplemented/return empty lists; test the skill with non-production data and review outputs for correctness. If you cannot get satisfactory answers about the api_client dependency and the hard-coded path, treat the skill as risky and avoid running it in environments where that path could contain attacker-controlled code or where query_database has broad DB privileges.

Like a lobster shell, security has layers — review code before you run it.

latestvk970vanya7nvjzsstxrddyws4983mswe
94downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Xtechmerge.AI@gwyang7
latest
Download

历史基线分析 Skill

技能名称

store-poscore-baseline-analysis

版本

v1.0

功能描述

基于Agent API(数据库视图),提供多周期基线+四分位分析。

数据源

  • v_gmv_daily_by_store(日粒度)
  • v_gmv_weekly_by_store(周粒度)
  • v_gmv_monthly_by_store(月粒度)

核心能力

1. 基线类型

  • WEEKDAY (weekday) - 按星期几分组(周一、周二...)
  • WEEK (week) - 自然周(周一至周日)
  • MONTH (month) - 自然月(每月1日到最后1日)

2. 基线周期

  • P13W (13w) - 13周(季度)
  • P26W (26w) - 26周(半年)
  • P52W (52w) - 52周(全年)
  • P12M (12m) - 12个月

3. 四分位分析

  • P25(第25百分位)
  • P50(中位数)
  • P75(第75百分位)
  • 识别异常区间

4. 最小样本要求

  • weekday: 至少6个样本
  • week: 至少6周
  • month: 至少6个月

使用示例

from analyze import analyze_baseline, BaselineType, BaselinePeriod

# 分析门店历史基线
result = analyze_baseline(
    store_id="416759_1714379448487",
    baseline_type=BaselineType.WEEKDAY,
    baseline_period=BaselinePeriod.P13W,
    end_date="2026-03-25"
)

版本

v1.0.0 - 多周期基线、四分位分析

Comments

Loading comments...