Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
门店目标追踪分析
v1.0.0门店目标追踪分析工具。支持日/周/月三周期目标追踪,T-N数据延迟,黄绿黄灯状态预警。 核心能力: 1. 三周期追踪(日追踪-晨会/实时预警、周追踪-周会复盘、月追踪-月度考核) 2. T-N数据延迟支持(默认T-1) 3. 黄绿黄灯状态(🟢正常、🟡关注、🟠警告、🔴告警/紧急) 4. 批量告警检查(检查所...
⭐ 1· 68·0 current·0 all-time
byXtechmerge.AI@gwyang7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to be a local retail target-tracking analyzer and reads local target/mapping files (which is reasonable). However, the code imports get_copilot_data from an absolute, user-specific path (/Users/yangguangwei/.openclaw/workspace-front-door) that is not declared anywhere in the manifest or SKILL.md. That external dependency and implied API calls are not documented in the skill metadata (no required env vars, no install spec), so the runtime capability is under-specified and unexpectedly reliant on a local/remote service.
Instruction Scope
SKILL.md instructs reading files under ~/.openclaw and running analyze/check_alerts functions — expected for this purpose. But instructions do not mention the api_client dependency or network calls (fetch_actual_data calls get_copilot_data with '/api/v1/store/overview/bi'), so the true I/O surface (network/API access via an external client) is not disclosed. The SKILL.md also suggests cron usage but doesn't explain notification integration or required credentials.
Install Mechanism
There is no install spec, yet the package contains Python code that imports modules expected to exist in a specific user workspace. That implicit dependency on an out-of-repo module (via sys.path insertion of an absolute path) is fragile and risky: it will fail or behave unpredictably unless that external code and environment are present. No package sources or vetted release hosts are provided.
Credentials
Manifest declares no required env vars or credentials, but the code calls get_copilot_data (an API client not in the bundle). That client likely performs network requests and may need credentials or tokens stored elsewhere; those are not declared. The skill also reads user home data files (~/.openclaw/...), which may contain sensitive organization-specific data — this access is proportional to the stated purpose but should be documented and made explicit.
Persistence & Privilege
The skill is not marked always:true and does not request any platform-level privileges. It suggests a user cron schedule example, but that is an optional usage pattern invoked by the user. There is no evidence the skill modifies other skills or system-wide settings.
What to consider before installing
This skill is suspiciously under-documented: before installing, verify the missing pieces. Specifically: 1) Inspect the external api_client (get_copilot_data) that the code imports from /Users/yangguangwei/.openclaw/workspace-front-door — understand what network endpoints it calls and what credentials it needs. 2) Confirm you have (or are willing to supply) the local data files (~/.openclaw/workspace-store-ops-analyst/targets/*.json and cache user_stores_114.json) and that they don't contain secrets you don't want the skill to read. 3) Ask the publisher for an install spec and list of required environment variables/credentials; it is unsafe to run code that silently depends on a local API client. 4) Note the code contains apparent bugs/undefined variables in return values—test in a sandbox before using on production data. If you cannot verify the api_client and its network behavior, avoid enabling this skill or run it in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
latestvk973nyevhn9j9rqk8dwbxkgqx583n87p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.