Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Aloudata CAN SKILLS - inventory-strategy
v1.0.0零售库存健康诊断与行动策略生成。基于语义层指标,完成品类四象限分类、问题商品定位、行动方案输出。 触发场景:用户提到"库存诊断""库存健康""库存分析""滞销""售罄率""库销比""补货建议""促销建议""清仓""库存策略""库存优化""库存预警""积压""断货""缺货""动销""周转",或用户希望基于库存数据生...
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (inventory health diagnosis and action plan) matches what the SKILL.md and bundled files implement (four-quadrant classification, HTML reports, rule-based actions). However SKILL.md requires the metric-query Skill/Gateway for data retrieval but the package metadata does not formally declare that dependency — an implementation mismatch that affects whether the skill can actually function.
Instruction Scope
Runtime instructions are focused on inventory diagnosis: explicit JSON queries to metric-query, strict data validation rules, and multi-stage behavior with explicit pauses. The skill does not instruct reading unrelated system files or environment variables, nor does it attempt network calls to endpoints outside the expected metric-query gateway workflow. It does require generating and writing HTML output (templates included).
Install Mechanism
There is no install spec (instruction-only), which is low-risk in general. However the supplementary docs (dynamic-sensing.md) include Python code that imports/uses numpy in examples; the code file classify-code.py is pure Python but the package does not declare a runtime (Python) or dependency (numpy). If the agent or operator plans to execute the provided Python snippets, the required runtime and libraries are not declared — an operational/integration gap that could lead to silent failures or ad-hoc installs.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The only external access it requires is to the metric-query Skill/Gateway for metric discovery and data queries, which is consistent with its function. Ensure you trust and inspect the metric-query skill because it will handle data access/credentials.
Persistence & Privilege
The skill is not marked always:true and does not request to modify other skills or system settings. It generates HTML output files but does not request persistent privileged system changes. No indicators of unusual persistence or privilege escalation.
What to consider before installing
This skill appears to do what it says (inventory diagnosis and rules-based action plans) but there are practical gaps you should resolve before enabling it: (1) SKILL.md depends on a metric-query Skill/Gateway — confirm that metric-query is installed, trusted, and has only the minimum permissions necessary; the registry metadata does not list this dependency. (2) The documentation includes Python snippets that use numpy; if you plan to run the provided code, ensure a Python runtime and numpy (or equivalent) are available — the skill doesn't declare these requirements. (3) The skill will generate HTML reports; clarify where files are written and who can access them (avoid writing sensitive exports to public locations). (4) Ask the author to explicitly declare dependencies (metric-query, any runtimes/libraries) and to document where generated files are stored. If you can't verify metric-query or runtime prerequisites, run the skill in a sandboxed environment or request these clarifications from the publisher before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk973fzgrjk0wqd1v39z7c3y5t98452p5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.