橙子通API自动化
v1.0.0橙子通(orange-office.cn)库存管理系统 API 自动化。用于通过 API 创建出库单、查询库存、管理主播仓库等,无需浏览器。
⭐ 0· 80·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's name and description match the instructions: it documents how to query stock, create/update/delete stockout orders, and how to write inventory snapshots to DingTalk tables. The listed teamId, locId, tableId and fieldId mappings are consistent with the described use-case.
Instruction Scope
SKILL.md gives concrete API paths, a signing algorithm (static salt), request headers, and payload examples for orange-office.cn — all within scope. It also instructs reading/writing DingTalk tables (get_fields, writing records via cells) but does not include explicit DingTalk API endpoint/URL or authentication flow; it expects a live ASP.NET_SessionId Cookie for orange-office and implies use of some SESSION variable. The document references sensitive inputs (session cookie, possibly DingTalk credentials) but does not declare how the agent should securely obtain them.
Install Mechanism
No install spec and no code files (instruction-only). Nothing is written to disk or downloaded during install, which is the lowest-risk installation footprint.
Credentials
The skill does not declare any required environment variables, yet the examples reference a SESSION value (ASP.NET_SessionId) and the instructions require valid session cookies and likely DingTalk credentials to read/write tables. Asking for those credentials would be expected for this functionality, but omission is a mismatch that the user should notice because these are sensitive secrets.
Persistence & Privilege
Flags show always:false and normal autonomous invocation allowed. The skill does not request permanent presence or modify other skills; no elevated persistence or privilege is requested by the package itself.
Assessment
This skill is largely coherent with its description: it documents how to call orange-office APIs and how to update DingTalk tables. Before using it, be aware that it requires sensitive credentials that are not declared in the metadata: a valid ASP.NET_SessionId cookie for orange-office and (likely) DingTalk API access to write tables. Only provide those credentials if you trust the skill author and the runtime environment. Prefer using a limited-permission or test account and avoid sharing your primary account's session token. Ask the author to (1) declare required env vars (e.g., ORANGE_OFFICE_SESSION, DINGTALK_TOKEN) in the skill metadata, (2) specify exact DingTalk endpoints and auth flow, and (3) confirm that no data is sent to any third-party endpoints other than orange-office.cn and the official DingTalk API. If you cannot verify the source, test with throwaway credentials and monitor outbound network requests.Like a lobster shell, security has layers — review code before you run it.
latestvk972kyp0nhqcxe0sdkb89jbsf983s4qm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.