企雀医美系统-AI助手

v1.0.0

Use this skill when an agent needs to answer or plan operations for QiQue business requests in pure text protocol mode (no local executable dependency). Trig...

⭐ 0· 116·0 current·0 all-time

by@edmon

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for edmon/qique-yimei.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "企雀医美系统-AI助手" (edmon/qique-yimei) from ClawHub.
Skill page: https://clawhub.ai/edmon/qique-yimei
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install qique-yimei

ClawHub CLI

Package manager switcher

npx clawhub@latest install qique-yimei

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill claims to be a text-only QiQue operations helper (routing and plan generation). That purpose reasonably requires QiQue credentials and a method catalog (both present). However, the registry metadata declares no required config paths or credentials while the SKILL.md explicitly tells the agent to load and persist credentials from config/qique.config.json — a mismatch between declared requirements and what the skill actually expects.

Instruction Scope

SKILL.md directs the agent to read credentials from config/qique.config.json (or session memory), persist them between turns, and overwrite on updates. It also instructs strict output formatting and to never call the remote API (router-only), which is coherent. The primary concern is the explicit instruction to read and write local config state (persist secrets) — this expands the skill's scope beyond pure ephemeral planning and has privacy implications if storage is not secured or if the platform's persistence semantics are unclear.

✓

Install Mechanism

Instruction-only skill with no install spec or downloaded code. This minimizes installation risk because nothing is written to disk by an installer. All behavior is defined in SKILL.md and bundled docs/config files.

Credentials

The skill requests four QiQue credential keys in its docs (app_id/app_secret/distribution_app_id/distribution_app_secret) and instructs persistence. Yet the registry shows no required env vars or required config paths. Additionally, the bundle includes config/qique.config.json with a prefilled distribution_app_secret value — a sensitive secret embedded in the skill package. Embedding someone else's distribution secret in the skill bundle is questionable and not justified by the metadata; users should not assume that value is benign or owned by them.

Persistence & Privilege

The skill asks the agent to persist user-provided app_id/app_secret between turns and to store/overwrite them in config/text session state. While 'always' is false (no force-installed privilege), persistent storage of credentials increases risk if the platform's storage is not encrypted, shared, or audited. The skill does not modify other skills, but you should confirm how and where credentials are stored and whether the agent can access them later.

What to consider before installing

This skill appears to be a legitimate QiQue planner, but there are a few red flags you should consider before installing or using it: - The skill expects you to provide and lets it persist sensitive credentials (app_id and app_secret). Only provide these if you trust the skill's source and you understand where the credentials will be stored and who can access them. - The package includes a prefilled distribution_app_secret in config/qique.config.json. That is a sensitive secret embedded in the bundle; do not assume it belongs to you. Ask the publisher why it's included and consider removing or replacing it with empty placeholders before use. - The registry metadata did not declare any required config paths, but SKILL.md requires reading/writing config/qique.config.json — this mismatch is sloppy and merits caution. - The skill promises not to perform remote calls itself (router-only) and to require explicit user confirmation for write operations; still, verify that the agent/platform enforces 'do not auto-execute' and that any actual API calls (if/when performed) go to the expected QiQue endpoints (the method docs reference pre-e.qique.cn). Actions you can take: - Ask the skill publisher for provenance and whether the included distribution secret is intentional. - If you must test, use throwaway QiQue credentials or a test account and remove embedded secrets from the config file. - Confirm how and where the platform persists secrets (encryption, removal, access controls) and whether you can revoke stored credentials later. If you can get answers to the above and confirm secure storage, the skill's behavior would be reasonable for its stated purpose; otherwise treat it as untrusted and avoid providing production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk977a5rvn48qpw9npwecm3z34583k8v1

116downloads

0stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

QiQue Text Protocol

Overview

Use this skill in text-only mode. Do not require local PHP/Node execution. Instead, produce strict structured text:

Method decision
Normalized params JSON
Missing-required fields
Safety check (read/write)
User-facing next action

Prerequisites

Load credentials from config/qique.config.json (or remembered session state).
Keep credentials persistent between turns.
Never expose sensitive variables in any user-facing text.

Required config keys:

app_id
app_secret
distribution_app_id
distribution_app_secret

Workflow (Text Only)

Before any business execution, check whether app_id and app_secret are already stored.
- If either is missing, immediately reply with:
- 请提供你的企雀后台的 app_id 和 app_secret （这两个值可以在企雀后台的「系统管理」->「企雀API」中直接获取到），提供后我马上帮你完成操作。
- Wait for user to provide credentials before continuing.
Route Chinese business intent to method using references/intent-routing.md.
Review missing_required and fill missing parameters.
Decide operation type:

Read operation: return planned method + params and continue.
Write operation: require explicit user confirmation before producing final execution plan.

Return structured text output.
Interpret errNum when present:

errNum = 0: success
non-zero: business failure; include errMsg (if returned) and request context for retry.

Output Protocol

Use this exact output frame:

{
  "route": {
    "method": "<method_name>",
    "operation": "read|write",
    "confidence": 0.0,
    "reason": "<why>"
  },
  "params": {},
  "missing_required": [],
  "can_execute": true,
  "requires_write_confirmation": false,
  "next_action": "<what user should provide/confirm next>"
}

For write operations, add this line before final plan:

该操作为写操作，请确认是否执行（回复：确认执行 / 取消）

Execution Rules

Never invent parameters not in method signature.
Never continue write-operation plan without explicit user confirmation.
For ambiguous identity fields (cusId vs telnum, billId vs useCode), prefer the ID field when user provides both.
Echo the final method and params to the user before write execution.
Return response JSON as-is, then add a short interpretation.
Credential policy:
- First-time use without stored app_id/app_secret: must ask with the exact reminder sentence above.
- After user provides new app_id/app_secret: persist to memory/config text state and reuse later.
- If user provides newer values later: overwrite the stored values.
- Never expose distribution_app_id or distribution_app_secret values to customers in any response.

Resources

Method catalog and operation class: references/methods.md
Intent routing behavior: references/intent-routing.md
Local config template: config/qique.config.example.json

Comments

Loading comments...