ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

库存慧眼 / Inventory Eye

v1.0.0

库存慧眼 — 轻量库存监控,知道"什么该补货、什么卖不动、什么快过期

0· 214·0 current·0 all-time
byJun Zhang@hanjing5024064
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (inventory monitoring, reorder suggestions, turnover analysis) align with the provided scripts and SKILL.md. The scripts implement import, monitoring, alerts, reorder calculation and turnover analysis, and they only depend on the Python standard library as claimed.
Instruction Scope
SKILL.md instructs the agent to run local Python scripts (e.g., python3 scripts/inventory_store.py --action import --file <csv_path>), which matches the included code. The scripts read user-provided CSV/JSON (via --file, --data, --data-file or stdin) and operate on the local data directory; be aware that CLI arguments or --data-file can point to arbitrary files the user permits, which is expected for a CLI tool but means the skill will read files the user points it at.
Install Mechanism
No install spec is present (instruction-only install). The skill includes Python scripts but does not download or execute remote code or install packages during install; it relies on a local Python runtime (Python 3.8+ per README).
Credentials
No required credentials or secrets are requested. Two optional environment variables (IE_SUBSCRIPTION_TIER, IE_DATA_DIR) are declared and used by the code to control tier behavior and data storage path — this is proportionate and explained in SKILL.md and utils.py.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It stores data under a per-skill directory (default ~/.openclaw-bdi/inventory-eye/ or IE_DATA_DIR) and creates inventory.json/transactions.json there — normal for a local data tool.
Assessment
This skill appears coherent and local-only, but before installing/running: (1) ensure you run the scripts with a trusted Python interpreter; (2) back up any existing inventory data in the default data directory if you reuse that path; (3) only point the tool at CSV/JSON files you trust (the CLI will read files passed via --file or --data-file and stdin); (4) if you want data stored elsewhere, set IE_DATA_DIR to a directory you control; (5) review the remaining truncated/omitted sections if you need 100% assurance (the provided files reviewed here show no network calls or credential exfiltration).

Like a lobster shell, security has layers — review code before you run it.

inventoryvk97335a68gq6095c2sk7pajth98367prlatestvk97335a68gq6095c2sk7pajth98367prsmall-businessvk97335a68gq6095c2sk7pajth98367prstock-managementvk97335a68gq6095c2sk7pajth98367prsupply-chainvk97335a68gq6095c2sk7pajth98367pr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments