ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Order Tracker

v1.0.0

Track and manage sales orders with status updates, notifications, and dashboard reporting. Supports order creation, status transitions (pending/confirmed/shi...

0· 299·0 current·0 all-time
byJaden's built a claw@cjboy007

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cjboy007/ssa-order-tracker.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Order Tracker" (cjboy007/ssa-order-tracker) from ClawHub.
Skill page: https://clawhub.ai/cjboy007/ssa-order-tracker
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ssa-order-tracker

ClawHub CLI

Package manager switcher

npx clawhub@latest install ssa-order-tracker
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements order dashboard, status updates, and email notifications consistent with the declared purpose. However, the runtime instructions and code implicitly require SMTP credentials (for sending emails) that are not declared in the skill metadata (requires.env is empty). The README and SKILL.md point the SMTP config at a different skill's .env (imap-smtp-email), which is reasonable for email but is not reflected in the declared requirements.
!
Instruction Scope
Instructions and scripts operate on local data files (data/orders.json), write backups and logs (logs/status-changes.log, logs/notifications.log), and load an external .env at ../../imap-smtp-email/.env via dotenv. The notification script will connect to an external SMTP server (network I/O) and send email content. The update script accepts --orders-file and --schema-file flags allowing it to read/write arbitrary paths supplied by the caller. The agent instructions are precise but grant the runtime ability to read another skill's credentials file and modify local files — that cross-skill file access and arbitrary path support are scope concerns.
Install Mechanism
No install spec in the registry; this is an instruction-only skill with Node.js scripts and a package.json. Dependencies are limited to dotenv and nodemailer (both present in package-lock.json) and are reasonable for this functionality. No network downloads or archive extraction are used by the skill itself.
!
Credentials
The skill requires SMTP_HOST/SMTP_USER/SMTP_PASS (and related SMTP_* envs) at runtime to send emails — createTransporter throws if they are missing — but the registry metadata lists no required environment variables or primary credential. Instead the code loads those values from a relative .env file belonging to another skill (imap-smtp-email). Requesting access to another skill's .env without declaring this dependency is disproportionate and should be explicit. Storing SMTP credentials in a sibling skill's .env is a cross-skill secret access pattern the user should verify.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It persists data only to local files inside the skill directory by default (data/, logs/, .bak). The scripts create backups and logs, and will modify orders.json when run (unless --dry-run). This is expected for a CLI order manager; however, the ability to specify custom orders-file paths means it can be used to overwrite other files if invoked with arbitrary paths (caller-controlled), so exercise normal caution when running with elevated context.
What to consider before installing
What to check before installing/using this skill: - SMTP credentials: send-order-notification.js loads SMTP config from ../../imap-smtp-email/.env. Confirm you have (or want to provide) SMTP_HOST/SMTP_USER/SMTP_PASS and related settings, and that you trust the imap-smtp-email skill and its .env file location. The skill metadata does not declare these env vars — treat this as a manual dependency. - File writes: update-order-status.js will modify data/orders.json (creates a .bak) and append to logs/status-changes.log. Run with --dry-run first and inspect the backup before letting it write in production. - Arbitrary paths: both update and notification scripts accept --orders-file to point to any path; only run these scripts as a user who controls the supplied file paths. Avoid running them as a privileged user or from automated agents with access to sensitive directories. - Email behavior: the notification script will connect to the SMTP host and send emails with order content (customer names/emails/order details). Verify you want these messages sent from the configured SMTP account. - Origin and trust: source/homepage are unknown. The code is readable and unsurprising, but the skill accesses another skill's .env and does network I/O. If you plan to use it, review the imap-smtp-email .env contents, run smoke tests in the repo (smoke-test.sh uses dry-run), and consider running in an isolated workspace or container first.

Like a lobster shell, security has layers — review code before you run it.

latestvk976pnevtw7rnmxj3s1qkqwmbs83qbqf
299downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Jaden's built a claw@cjboy007
latest
Download

Order Tracker Skill

Description

本地订单跟踪系统,提供手动订单状态管理、客户邮件通知和命令行看板功能。适用于 Farreach Electronic 外贸订单生命周期管理(从生产到交付),无需对接工厂 ERP 或物流 API。

When to Use

  • 查询某个订单的当前状态
  • 更新订单状态(生产中 → 待发货 → 已发货 → 已完成)
  • 向客户发送订单状态变更邮件通知
  • 查看所有在途订单的看板汇总
  • 检测逾期或紧急(≤7 天)订单

Prerequisites

  • Node.js v16+
  • 已配置 imap-smtp-email skill 的 SMTP .env 文件(用于发送通知邮件)
  • 依赖安装:npm install(在 skill 目录下执行)

Skills Directory

skills/order-tracker/

How to Invoke

All scripts are run from the scripts/ subdirectory.

1. View Order Dashboard

cd skills/order-tracker/scripts

# 查看所有订单(按状态分组)
node order-dashboard.js

# 按状态过滤
node order-dashboard.js --status in_production
node order-dashboard.js --status shipped

# 查看单个订单详情
node order-dashboard.js --order-id ORD-20260324-001

# 输出格式(table / compact / json)
node order-dashboard.js --format json

2. Update Order Status

cd skills/order-tracker/scripts

# 预览(dry-run,不写入)
node update-order-status.js --order-id ORD-20260324-001 --status ready_to_ship --dry-run

# 更新状态
node update-order-status.js \
  --order-id ORD-20260324-001 \
  --status shipped \
  --notes "DHL Express, 单号: 1234567890, ETA: 4月25日"

# 更新状态 + 标记需要发通知
node update-order-status.js \
  --order-id ORD-20260324-001 \
  --status in_production \
  --notes "工厂已排期" \
  --trigger-notification

3. Send Customer Notification Email

cd skills/order-tracker/scripts

# 预览邮件(不发送)
node send-order-notification.js --order-id ORD-20260324-001 --dry-run

# 发送通知(使用订单当前状态的邮件模板)
node send-order-notification.js --order-id ORD-20260324-001

# 指定状态模板发送
node send-order-notification.js --order-id ORD-20260324-001 --status shipped

Order Status Model

6 状态机:

pending_production → in_production → ready_to_ship → shipped → completed
                                                              ↘ cancelled(任意阶段可取消)
状态中文说明
pending_production待生产订单确认,等待生产
in_production生产中工厂生产中
ready_to_ship待发货生产完成,等待发货
shipped已发货货物已发出
completed已完成客户确认收货
cancelled已取消订单取消

Email Templates

通知脚本支持 5 种双语(EN/ZH)邮件模板:

  • in_production — 生产进度通知
  • ready_to_ship — 准备发货通知
  • shipped — 发货确认(含物流单号)
  • completed — 订单完成确认
  • cancelled — 取消通知

Typical Workflow Example

BASE=skills/order-tracker/scripts
ORDER=ORD-20260324-001

# 开始生产 + 通知客户
node $BASE/update-order-status.js --order-id $ORDER --status in_production --notes "工厂已排期"
node $BASE/send-order-notification.js --order-id $ORDER

# 发货 + 通知客户
node $BASE/update-order-status.js --order-id $ORDER --status shipped --notes "DHL 单号: 1234567890"
node $BASE/send-order-notification.js --order-id $ORDER

# 查看看板
node $BASE/order-dashboard.js

Data Files

文件路径说明
订单数据data/orders.json所有订单(手动维护)
订单 Schemaconfig/order-schema.jsonJSON Schema 验证定义
状态变更日志logs/status-changes.log每次状态更新记录
通知日志logs/notifications.log邮件发送记录

Constraints

  • 不对接工厂 ERP/MES 系统
  • 不抓取物流 API
  • 状态手动更新
  • 数据存储本地 JSON 文件

Source

  • Task: task-005(Phase 3)
  • Implemented by: IRON (bailian/qwen3.5-plus)
  • Reviewed by: WILSON (aiberm/claude-sonnet-4-6)
  • Completed: 2026-03-24

Comments

Loading comments...