ClawHub

pancake-skills

v1.0.0

Tương tác với Pancake Platform API để quản lý pages, conversations, messages, customers, statistics, tags, posts, users. Sử dụng khi cần (1) Quản lý pages và tạo access token, (2) Xử lý conversations và messages, (3) Quản lý thông tin customers, (4) Xem statistics và analytics, (5) Quản lý tags và posts, (6) Quản lý users/staff, (7) Upload media content, (8) Chat plugin operations.

3· 1.7k·0 current·0 all-time
by@suminhthanh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement a Pancake Platform API client (pages, conversations, messages, customers, stats, uploads, etc.) which matches the skill name/description. HOWEVER the registry metadata claims no required environment variables/primary credential while the scripts and SKILL.md clearly require USER_ACCESS_TOKEN and PAGE_ACCESS_TOKEN (and optionally PANCAKE_BASE_URL and CONFIRM_WRITE). This discrepancy is unexpected and should be resolved.
Instruction Scope
Runtime instructions and scripts limit activity to Pancake API endpoints (pages.fm) and to operations described in the README/SKILL.md. They do not attempt to read arbitrary local files or contact unrelated external endpoints. Guardrails (CONFIRM_WRITE, require GET before write described) are present in the docs and enforced by scripts.
Install Mechanism
There is no remote installer; the skill is instruction/code-only (shell scripts and an OpenAPI YAML) and does not download or execute code from external URLs during install. This is a low-risk install model.
!
Credentials
The scripts require USER_ACCESS_TOKEN and PAGE_ACCESS_TOKEN (and optionally PANCAKE_BASE_URL and CONFIRM_WRITE). The registry metadata incorrectly lists no required env vars/primary credential; that mismatch is a red flag because a user relying on metadata would not be warned to provide sensitive tokens. Also the scripts send tokens as query parameters (page_access_token/access_token) per the API spec — this is functional but increases the chance tokens are logged in transit or by intermediaries compared with using an Authorization header. Tokens are not stored in the repo, and CONFIRM_WRITE defaults to blocking writes, which is good.
Persistence & Privilege
The skill does not request persistent 'always' presence and does not modify other skills or system-wide configuration. It does not persist credentials to disk. Model invocation/autonomy defaults are unchanged (normal).
What to consider before installing
This skill appears to be an honest Pancake API client, but the published metadata omitted required environment variables. Before installing: (1) Confirm you trust the skill author/source (source/homepage unknown). (2) Expect to set USER_ACCESS_TOKEN and PAGE_ACCESS_TOKEN in your environment — do not embed tokens in the repo. (3) Note tokens are passed in query strings (page_access_token/access_token) which can be logged by intermediaries; prefer short-lived or limited-scope tokens and rotate them after use. (4) Keep CONFIRM_WRITE unset until you explicitly want to allow write actions. (5) Review the scripts locally to ensure no unexpected network calls and test in an isolated environment. If the registry metadata were corrected to declare the required env vars and the author/source can be verified, my concerns would be reduced.

Like a lobster shell, security has layers — review code before you run it.

latestvk9795qdy6nc645v0q24jcqab9580ean8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments