iccn-erp
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent ERP data-query skill, but it requires an ERP API token and can retrieve sensitive business records, so it should be installed with a least-privilege read-only token.
Before installing, confirm the ERP_API_BASE_URL points to your trusted ERP instance and provide only a read-only, least-privilege ERP_API_TOKEN. Treat returned ERP records as sensitive, and review or replace the included UI sample endpoint before using it.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed with a broad ERP token, the agent may retrieve sensitive orders, customer records, supplier records, purchases, and inventory data.
The skill authenticates to the ERP API using a bearer token from the environment; this is expected for ERP access but means the agent can query data allowed by that token.
Token:从环境变量 `ERP_API_TOKEN` 读取 ... 'authorization': `Bearer ${ERP_TOKEN}`Use a read-only, least-privilege ERP token scoped to the specific tables and users who need this skill; avoid using an admin token.
If that sample UI is reused, order identifiers may be sent to dev.iccn.cc and may appear in URL/query logs.
The optional UI reference sends an order number to a fixed external endpoint instead of using the configured ERP_API_BASE_URL.
fetch(`https://dev.iccn.cc/api/openclaw/order_detail?order_no=${encodeURIComponent(orderNo.trim())}`)Only use the sample endpoint if dev.iccn.cc is the intended ERP service; otherwise adapt it to the configured ERP_API_BASE_URL and avoid placing sensitive identifiers in query strings.