v1.0.0

03 Logistics Alert

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 2:43 PM.

Analysis

This instruction-only logistics skill is mostly purpose-aligned, but its batch-anomaly workflow can push findings into supplier risk scoring and limit decisions without clear approval boundaries.

GuidanceUse this skill as an advisory logistics-analysis template unless you have verified its source and referenced rules. Before enabling any linked supplier-scoring workflow, require human approval and clear limits on what order or supplier data can be shared or recorded.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

SKILL.md

当触发 AE-10（批量异常）时，需立即触发供应商风险评分联动... Skill 2 追加违规记录（A4维度扣分）... 如 AE-10 累计 ≥3次/月 → 触发限量评估

A model-derived batch-anomaly classification can be propagated into another skill, supplier score deductions, and volume-limit evaluation, creating downstream business impact from a potentially incomplete or incorrect input.

User impactA mistaken or unverified batch anomaly could affect supplier scores or business restrictions if the workflow is treated as automatic.

RecommendationRequire explicit human review and confirmation before sending findings to another skill, updating supplier records, or triggering limit or suspension evaluations.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

SKILL.md

reference: 统一术语表：docs/GLOSSARY.md... 信息不足处理：docs/INSUFFICIENCY-HANDLING.md... 规则更新同步：docs/RULE-UPDATE-SOP.md

The skill says important rule, insufficiency-handling, and update procedures are defined in referenced docs that are not included in the provided manifest.

User impactUsers cannot verify some cited rule definitions or update procedures from the supplied artifacts.

RecommendationProvide or verify the referenced documents before relying on the skill for official compensation or escalation decisions.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

你是阿里巴巴内控部的物流异常预警专家

The skill frames the agent as an Alibaba internal-control expert and relies on official-rule language, which users may over-trust unless provenance and current rules are verified.

User impactA user could treat the output as official platform guidance even though the registry source is not established in the artifacts.

RecommendationLabel the skill as advisory unless official ownership and rule sources are verified.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

触发 Skill 2 联动：通知 Skill 2：该供应商有 AE-10 事件

The skill explicitly describes inter-skill notification involving supplier anomaly data, but the artifacts do not define the identity, permissions, or data boundaries for that receiving skill.

User impactSupplier and order-risk information may be shared into another workflow if the agent environment supports skill-to-skill handoff.

RecommendationOnly enable the linkage with a known, trusted receiving skill and specify what data may be shared.