Back to skill
Skillv1.0.0
ClawScan security
Waimai Merchant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 10:16 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, CLI commands, and storage access match its stated merchant-management purpose; it stores data locally and does not request external credentials or network I/O.
- Guidance
- This package appears to do what it says: a local CLI for managing merchants and products that stores data under ~/.waimai-merchant/merchant.db. Before installing/running: 1) review the included source if you can (it is provided and implements only local DB operations), 2) be aware npm install will fetch dependencies from the public registry and may compile native modules (better-sqlite3), and 3) back up any existing ~/.waimai-merchant directory if present. If you need networked features or integration with external services, those are not present here — they would require additional code or credentials.
Review Dimensions
- Purpose & Capability
- okName/description (商家/商品/价格/配送时间) align with the included code and CLI: commands implement merchant registration, product CRUD, price and delivery-time updates. No unrelated credentials, binaries, or services are requested.
- Instruction Scope
- okSKILL.md instructs how to install/build and run the CLI in the agent workspace and documents the commands and data directory. The runtime instructions and the code operate on a local SQLite DB and do not direct the agent to read other system files or exfiltrate data.
- Install Mechanism
- noteThe skill has no formal install spec in the registry (instruction-only) but includes full source and a SKILL.md that tells the user to run npm install and npm run build in ~/.openclaw/workspace/skills/waimai-merchant. That will fetch npm dependencies (including better-sqlite3 which may run native build/install scripts). This is expected for a Node+SQLite CLI but you should be aware npm install will contact the public npm registry and may build native modules on the host.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The code creates/uses a data directory under the user's home (~/.waimai-merchant) and the SQLite DB merchant.db — this is proportional to the stated purpose.
- Persistence & Privilege
- okThe skill is not marked always:true and does not modify other skills or global agent settings. It persists only its own data under ~/.waimai-merchant/ and closes the DB on exit/signals.