门店客流分析

This skill appears to implement the documented analysis but has two issues you should verify before installing: 1) Hard-coded import path: analyze.py inserts '/Users/yangguangwei/.openclaw/workspace-front-door' into sys.path and imports api_client. That means the skill will load code from that local path if present. Verify who authored the api_client at that location and what it does. If you don't control or trust that path, the skill could execute arbitrary local code. 2) Undeclared credentials/config: The skill calls get_copilot_data(...) to fetch store data but doesn't declare required API host or authentication environment variables. Inspect api_client.get_copilot_data to see where it sends requests and which credentials it uses. Ensure it doesn't send data to unexpected endpoints or read secrets from your environment (e.g., ~/.aws, token files, or other local config). Recommended actions before use: - Open and review the api_client implementation that will be imported in your environment (or run the skill in an isolated sandbox where you control api_client). - Replace the hard-coded sys.path insertion with a documented import/install mechanism (or vendor a minimal, audited api client in the skill) and require explicit env vars for API host and token. - Run the skill in a restricted environment or with network monitoring to confirm it only calls the intended API endpoint and does not exfiltrate data. If you can provide the api_client source or confirm where get_copilot_data sends requests and how it's authenticated, I can reassess and raise or lower the concern level.