ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pinkr Crm

品氪后台 API 调用工具,用于 AI 模型自动调用品氪 CRM 系统。所有接口均为 POST,参数通过 JSON 请求体传递,包含会员查询等常用接口。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 8 · 0 current installs · 0 all-time installs
by@double-jin
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description, code, and declared runtime behavior align: this is a CLI client for the Pinkr CRM that needs an admin username/password to obtain a token and call POST JSON endpoints. However the registry metadata lists no required env vars while the SKILL.md and code require PINKR_ADMIN_NAME and PINKR_PASSWORD — an inconsistency in packaging. Also the repository layout places config files under scripts/, but the runtime code expects config.json and a config/ directory in the working directory, implying the shipped files may not be read unless the packaging/working directory is adjusted.
!
Instruction Scope
SKILL.md allows the agent to run the Python CLI and to Read(config.json) and Read(.env). The code will attempt to read config.json/config/field_mappings.json and .env (via environment access). Allowing Read(.env) grants the skill potential access to unrelated secrets in the environment. The CLI also accepts a full URL as --endpoint, so an attacker or misuse could direct credentials or request payloads to arbitrary endpoints. The login routine prints a DEBUG_LOGIN_RESPONSE to stderr on unexpected token formats which could leak sensitive response contents into logs.
Install Mechanism
No external install/downloads are requested; the skill is provided as local Python code and uses standard requests and included formatter modules. No network-based installers or obscure URLs are used. This is low-risk from an installation-origin perspective.
!
Credentials
Requiring PINKR_ADMIN_NAME and PINKR_PASSWORD is proportional to a CRM API client. However SKILL.md explicitly permits reading .env and config.json; reading .env can expose other unrelated secrets. The metadata listing no required env vars while SKILL.md and the code require credentials is a mismatch that should be corrected. The client will send those admin credentials (via login) to the configured base_url; if a full URL is provided it may be sent elsewhere, increasing exfiltration risk.
Persistence & Privilege
The skill does not request always:true and does not attempt to persist or modify other skills or system-wide configuration. Tokens are cached only in memory for the run. Autonomous invocation is allowed (platform default) but not combined with extra persistent privileges.
What to consider before installing
This skill appears to implement a Pinkr CRM CLI client, but packaging and instruction inconsistencies mean you should be cautious. Before installing: (1) Confirm the source and that the PINKR_ADMIN_NAME/PINKR_PASSWORD requirement in SKILL.md is intentional (registry metadata currently omits them). (2) Avoid granting it permission to read your .env or other global env files that contain unrelated secrets; prefer providing only a scoped CRM service account with minimal permissions. (3) Be aware the CLI accepts a full URL for --endpoint, which could be abused to send data to arbitrary hosts — only allow endpoints you trust (or restrict to the CRM base URL). (4) Note debug output may leak response bodies to stderr/logs; run in an isolated environment if possible. If the author fixes metadata (declares required env vars) and removes or narrows .env access (or documents it clearly), the concerns would be reduced.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk97e2e0zj2rygd01s2kf23nvcs83z6v4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

品氪 CRM API Skill

触发场景

  • AI 模型需要调取品氪后台接口(包括会员相关功能等),通过 Python CLI 完成。
  • 需要统一的登录、Token 管理、接口调用和错误处理能力。

功能说明

根据用户问句自动识别意图并调用对应接口,支持以下功能模块:

  1. 会员管理:查询会员列表、查询会员详情。

核心能力

  • 登录认证:POST https://crm.pinkr.com/Crm/Business/getToken
  • Token 管理:内存级缓存,单次运行期间有效
  • API 调用:POST+JSON 请求体,Bearer Token 认证
  • 错误处理:Token 失效自动重新登录,网络错误自动重试
  • 输出:美化 JSON,便于 AI 模型解析

登录认证

  • 地址:https://crm.pinkr.com/Crm/Business/getToken
  • 方法:POST
  • 参数:admin_namepassword
  • 返回:包含 token 的 JSON(如:{"code": 200, "data": {"token": "xxx"}, "message": "success"}
  • Token 有效期:1 天(内存缓存,单次运行有效)

数据请求格式

所有接口使用统一的 POST 表单方式提交:

  • 路径:Crm/Customer/GetCustomers
  • 完整 URL:https://crm.pinkr.com/Crm/Customer/GetCustomers
  • 方法:POST
  • 请求体:{"phone": "13800138000"}
  • 响应示例:

公共响应参数

参数名类型说明
codestring状态码
messagestring信息
datastring数据

功能概览

| 接口名称 | 接口地址 | 说明 | | --- | --- | --- | --- | | 会员列表 | Crm/Customer/GetCustomers | 会员列表 | | 会员详情 | Crm/Customer/GetCustomer | 会员详情,通过会员列表返回的 customer_id 访问 |

接口说明

1. 会员列表

  • 功能:会员列表
  • 接口名称Crm/Customer/GetCustomers
  • 请求参数:无
  • 返回数据
参数名称参数类型参数说明
phonestring手机号

1. 会员详情

  • 功能:会员详情
  • 接口名称Crm/Customer/GetCustomer
  • 请求参数:无
  • 返回数据
参数名称参数类型参数说明
idstring会员 id

使用方法

  • 环境变量(推荐)
  • PINKR_BASE_URL、PINKR_ADMIN_NAME、PINKR_PASSWORD

命令行接口概览

  • login: 登录并缓存 Token 在内存
  • api: 调用 API,需提供 --endpoint 与 --data
  • clear-cache: 清除内存中的 Token
  • test-connection: 测试登录与连接
  • show-config: 显示当前配置

Files

10 total
Select a file
Select a file to preview.

Comments

Loading comments…