ClawHub

honor

v1.0.0

Provides JSON API commands to fetch Picqer dashboard KPIs, picklists, stock movements, and revenue data for order fulfillment monitoring.

0· 950·2 current·2 all-time
by@johnmcgucki
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Code implements a FutureFulfillment Picqer dashboard (fetching picklists, stock, orders) but registry metadata is sparse: the skill name is 'honor' while code/class/slug refer to a Picqer dashboard. SKILL.md documents Picqer commands, but required environment variables (PICQER_SUBDOMAIN and PICQER_API_KEY) are not declared in the registry metadata. This mismatch between declared purpose/requirements and actual code is incoherent.
!
Instruction Scope
SKILL.md documents a JSON-only command API and notes that API key lives in a local .env and access is via Tailscale. However, the code contains a cron.ts that starts a recurring sync every 5 minutes (auto network calls) which is not mentioned in SKILL.md. The code reads only PICQER_SUBDOMAIN and PICQER_API_KEY and calls picqer.com endpoints; there is no evidence of other data collection or external endpoints, but the background syncing is out-of-band relative to the documented commands.
Install Mechanism
There is no install spec (instruction-only in metadata) but the package includes source files and package.json with dependencies (dotenv, @openclaw/sdk). No external downloads or obscure URLs are used. The lack of an explicit install spec is unusual given the included code and package.json, but it's not directly hostile.
!
Credentials
The code requires PICQER_SUBDOMAIN and PICQER_API_KEY from environment (.env) but the skill's declared required env vars/primary credential fields are empty. Requesting an API key for the integrated service would be reasonable, but failing to declare them in metadata is a significant inconsistency that could hide credential requirements from users or automated checks.
!
Persistence & Privilege
cron.ts launches an initial sync and schedules setInterval to run every 5 minutes, causing autonomous periodic network activity whenever the skill is loaded. always:false so it's not globally forced, but the background process is not documented in SKILL.md. Combined with autonomous invocation allowed (platform default), this increases the surprise/blast radius if the skill is enabled.
What to consider before installing
This package contains a Picqer dashboard implementation that will read PICQER_SUBDOMAIN and PICQER_API_KEY from environment and will start a background sync every 5 minutes. Before installing: (1) confirm the skill metadata is corrected to declare required env vars (PICQER_SUBDOMAIN, PICQER_API_KEY); (2) verify you are comfortable storing the Picqer API key in the local .env and that the runtime enforces the stated access restrictions (Tailscale); (3) accept that the skill will perform autonomous periodic network calls (cron) even when not invoked via commands; and (4) review the code yourself or run in an isolated environment to ensure no hidden exfiltration. If you want a stricter review, ask for verification that the skill will not run the cron when disabled and request the author to update SKILL.md/registry metadata to list required env vars and document the background sync.

Like a lobster shell, security has layers — review code before you run it.

latestvk97danhzn8pcepy2zy5rbx0b8580zenj
950downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@johnmcgucki
latest
Download

FutureFulfillment Picqer Dashboard v2

JSON-only API for dashboard data. No markdown responses.

Commands

All commands return JSON. No chat explanations.

dashboard.fetch

Returns complete DashboardData object with KPIs, picklists, stock, and revenue.

Input: { "command": "dashboard.fetch", "filters": { "dateFrom": "2024-01-01", "dateTo": "2024-01-31", "picker": "", "client": "" } }

picklists.fetch

Returns only picklists data (open, closed, picker stats).

Input: { "command": "picklists.fetch", "filters": {} }

stock.fetch

Returns stock movements with slow/fast mover categorization.

Input: { "command": "stock.fetch", "filters": {} }

revenue.fetch

Returns revenue per client for sell-stock clients.

Input: { "command": "revenue.fetch", "filters": {} }

Response Format

Always returns JSON. Example success:

{
  "kpis": { "openPicklists": 42, "closedPicklists": 128, ... },
  "picklists": { "open": [...], "closed": [...], "pickerStats": [...] },
  "stock": { "rows": [...] },
  "revenue": { "perClient": [...] },
  "filtersUsed": { ... }
}

Example error:

{ "error": "Picqer API not configured" }

Security

  • API key only in local .env file
  • No credentials in OpenClaw config
  • Access via Tailscale only

Comments

Loading comments...