ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

МойСклад

v1.0.1

МойСклад ERP — управление товарами, контрагентами, заказами, складами, остатками и документами через REST API. Используй когда нужно получить данные из МойСк...

0· 71·0 current·0 all-time
by@monsterdeveloper

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for monsterdeveloper/moysklad.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "МойСклад" (monsterdeveloper/moysklad) from ClawHub.
Skill page: https://clawhub.ai/monsterdeveloper/moysklad
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install moysklad

ClawHub CLI

Package manager switcher

npx clawhub@latest install moysklad
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name, description, SKILL.md, and the included Node.js CLI (scripts/moysklad.mjs) all consistently implement a MoySklad REST API helper (listing products, counterparties, orders, creating objects, direct API proxy). Functionality requested by the code is coherent with the stated purpose. However, the registry metadata claims 'Required env vars: none' while the SKILL.md and code explicitly require MOYSKLAD_TOKEN or MOYSKLAD_LOGIN + MOYSKLAD_PASSWORD — this metadata omission is an inconsistency.
Instruction Scope
Runtime instructions are narrowly scoped to authenticating to MoySklad and making REST calls (me, products, orders, create-counterparty, create-order, api proxy). The SKILL.md does not instruct the agent to read unrelated files, hostnames, or system secrets beyond the declared MoySklad credentials. The CLI code likewise only calls the MoySklad API base URL and formats output.
Install Mechanism
There is no install spec (instruction-only deployment plus bundled script). No downloads from external or untrusted URLs, no archives extracted, and the script is plain JavaScript with no obfuscation. This is low-risk from an install perspective.
!
Credentials
Requiring a MOYSKLAD_TOKEN or login/password is appropriate for a MoySklad integration. The concern is the registry metadata does not declare these required environment variables or mark a primary credential, meaning an agent or installer may not surface a credentials prompt or policy check — increasing the chance a user will unknowingly supply sensitive credentials. The credential types requested (API token or account password) are sensitive and should be explicitly declared in metadata.
Persistence & Privilege
The skill does not request always:true or any elevated system presence; it is user-invocable and uses standard CLI behavior. It does not modify other skills' configs or request persistent agent-wide privileges.
What to consider before installing
This package appears to be a straightforward MoySklad API CLI: it only talks to https://api.moysklad.ru and the code is readable. However, the registry metadata failing to declare that the skill needs MOYSKLAD_TOKEN or MOYSKLAD_LOGIN/MOYSKLAD_PASSWORD is an important mismatch. Before installing, confirm the skill source (author/repository) and prefer using a dedicated API token (not your full account password) with minimal scope. Do not paste credentials into unknown or unverified skill portals. If possible, inspect scripts/moysklad.mjs yourself or run it in a constrained environment (e.g., a disposable account or container) to verify it only contacts api.moysklad.ru. If you manage multiple skills, ensure this skill is not granted persistent or cross-skill credentials and consider requesting the publisher update registry metadata to declare the required env vars.
scripts/moysklad.mjs:14
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970zdeb4p4jvzmdt6c8ej5q6s84v7vh
71downloads
0stars
2versions
Updated 1w ago
v1.0.1
MIT-0
@monsterdeveloper
latest
Download

МойСклад

Скилл для работы с МойСклад через JSON API 1.2. Используй для чтения и записи данных: товары, контрагенты, заказы покупателей, счета, склады, остатки.

Настройка

  1. Задай переменные окружения (один из вариантов):

    Вариант А — токен (предпочтительно):

    export MOYSKLAD_TOKEN='<токен>'

    Токен создаётся в МойСклад → Настройки → Безопасность → Токены.

    Вариант Б — логин/пароль:

    export MOYSKLAD_LOGIN='логин@email.com'
export MOYSKLAD_PASSWORD='пароль'

  2. Проверь подключение:

    node scripts/moysklad.mjs me

Быстрый старт

# Список товаров
node scripts/moysklad.mjs products

# Поиск товара
node scripts/moysklad.mjs products --search "Ноутбук"

# Контрагенты
node scripts/moysklad.mjs counterparties

# Остатки
node scripts/moysklad.mjs stock

# Заказы покупателей
node scripts/moysklad.mjs orders

# Создать контрагента
node scripts/moysklad.mjs create-counterparty --name "ООО Рога и Копыта" --inn "7701234567"

# Создать заказ
node scripts/moysklad.mjs create-order --counterparty-id <id> --product-id <id> --quantity 5 --price 1000

Команды CLI

Все команды поддерживают флаг --json для вывода сырого JSON.

Информация об аккаунте

  • node scripts/moysklad.mjs me — текущий пользователь и организация

Товары

  • node scripts/moysklad.mjs products — список всех товаров
  • node scripts/moysklad.mjs products --search "текст" — поиск
  • node scripts/moysklad.mjs products --limit 50 --offset 0 — пагинация
  • node scripts/moysklad.mjs product-get <id> — товар по ID

Контрагенты

  • node scripts/moysklad.mjs counterparties — список
  • node scripts/moysklad.mjs counterparties --search "ООО" — поиск
  • node scripts/moysklad.mjs create-counterparty --name "Название" [--inn ИНН] [--phone "+7..."] [--email "..."] — создать

Заказы покупателей

  • node scripts/moysklad.mjs orders — список заказов
  • node scripts/moysklad.mjs order-get <id> — заказ по ID с позициями
  • node scripts/moysklad.mjs create-order --counterparty-id <id> --product-id <id> --quantity 1 --price 100 — создать заказ

Склады

  • node scripts/moysklad.mjs stores — список складов

Остатки

  • node scripts/moysklad.mjs stock — остатки по всем складам
  • node scripts/moysklad.mjs stock --store-id <id> — по складу
  • node scripts/moysklad.mjs stock --product-id <id> — по товару

Счета покупателям

  • node scripts/moysklad.mjs invoices — список счетов
  • node scripts/moysklad.mjs invoice-get <id> — счёт по ID

Прямые API-запросы

# GET
node scripts/moysklad.mjs api GET /entity/product?limit=10

# POST
node scripts/moysklad.mjs api POST /entity/counterparty '{"name":"Тест"}'

# PUT
node scripts/moysklad.mjs api PUT /entity/product/<id> '{"name":"Новое имя"}'

# DELETE
node scripts/moysklad.mjs api DELETE /entity/product/<id>

Ошибки

  • 401 — неверный логин/пароль
  • 403 — недостаточно прав
  • 404 — запись не найдена, проверь ID
  • 429 — превышен лимит (45 req/s)
  • Код 1003 в теле — неверный формат данных

Справочные материалы

  • Обзор API и аутентификация: references/api-overview.md
  • Основные сущности и поля: references/entities.md
  • Примеры кода: references/examples.md

Comments

Loading comments...