ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

领星 ERP

v1.0.0

Integrate with Lingxing ERP to query today's orders, product inventory, and retrieve product lists via OpenClaw.

0· 95·0 current·0 all-time
by@wengjianmin19850412

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wengjianmin19850412/lingxing-erp.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "领星 ERP" (wengjianmin19850412/lingxing-erp) from ClawHub.
Skill page: https://clawhub.ai/wengjianmin19850412/lingxing-erp
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install lingxing-erp

ClawHub CLI

Package manager switcher

npx clawhub@latest install lingxing-erp
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description promise (Lingxing ERP queries) aligns with the code: the implementation signs requests and calls Lingxing's API to fetch today's orders. However, the registry metadata claims 'Required env vars: none' while SKILL.md and main.py clearly expect ACCESS_KEY and SECRET_KEY — an inconsistency in what the skill declares vs what it actually needs.
!
Instruction Scope
SKILL.md lists three capabilities (today's orders, inventory, product list) but main.py only implements get_today_orders. The runtime instructions and code only access the configured BASE_URL and credentials and do not read other files or unexpected environment variables, but the missing implementations and mismatch between documentation and code are scope/integrity concerns.
Install Mechanism
No install spec (instruction-only plus a small Python file). This minimizes install-time risk. The code uses the 'requests' library but no installer is provided — not a security risk but could cause runtime failures if the runtime lacks requests.
!
Credentials
The skill legitimately requires ACCESS_KEY and SECRET_KEY to talk to the Lingxing API (proportionate). However, the registry metadata advertises no required env vars/credentials while SKILL.md and main.py require them — this discrepancy is suspicious and could lead to misconfiguration or hidden credential handling.
Persistence & Privilege
The skill does not request persistent presence (always=false), does not modify other skills or system settings, and does not write to disk beyond normal execution. Autonomous invocation is allowed by default but is not combined with other high-risk factors here.
What to consider before installing
What to consider before installing: - The code itself only implements get_today_orders; SKILL.md claims inventory and product-list features that are not present. Don't assume those features exist without asking the publisher. - The skill requires ACCESS_KEY and SECRET_KEY (used to HMAC-sign API calls) — that's expected for an API integration, but the registry metadata incorrectly lists no required env vars. Confirm how/where you'll provide credentials and whether the platform will store them securely. - Source and homepage are missing. That reduces trust: prefer skills with a verifiable publisher or project page. Consider requesting the publisher's identity or audit trail before using production credentials. - Test with limited-scope or read-only API keys first. Monitor network traffic and API use after enabling the skill. - If you need inventory/product-list functionality, ask the author for an updated release; do not rely on undocumented behavior. If you want, I can draft questions to ask the publisher or propose a minimal test plan to validate behavior safely.

Like a lobster shell, security has layers — review code before you run it.

amazonvk972wb1xsj94c8w7rthf2x67r183qb6yerpvk972wb1xsj94c8w7rthf2x67r183qb6ylatestvk972wb1xsj94c8w7rthf2x67r183qb6ylingxingvk972wb1xsj94c8w7rthf2x67r183qb6yordersvk972wb1xsj94c8w7rthf2x67r183qb6y
95downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@wengjianmin19850412
amazonerplatestlingxingorders
Download

领星 ERP 技能

用于 OpenClaw 对接领星 ERP,查询订单、库存、商品数据。

配置项

功能

  • 查询今日订单
  • 查询商品库存
  • 获取商品列表

Comments

Loading comments...