钢材货源查询
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its steel-marketplace purpose, but it can publish business contact/inventory data to shared or hardcoded destinations without clearly documented boundaries.
Install or use this skill only if you are comfortable sharing steel inventory and business contact details through its platform. Before publishing, confirm the exact destination, fields, and visibility; consider configuring your own Feishu table and push recipient, and remove any cron job when you no longer want daily reports.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user's business inventory, supplier name, contact person, and phone details could be posted/shared if the agent follows the publish workflow too eagerly.
The skill instructs the agent to publish an inventory listing containing contact information, but the provided workflow does not show an explicit final confirmation or data-sharing boundary before posting.
### 8. 发布库存到平台 ... **触发**:"发布库存" / "我要卖货" ... phone='13800138001' ... InventoryPublisher.publish(item)
Require explicit user confirmation of every field and destination before publishing; provide clear delete/unpublish instructions and avoid sharing phone or WeChat details unless the user opts in.
Published inventory and contact information may be stored in a shared Feishu table outside the user's own workspace or control.
The skill embeds a fixed Feishu Bitable app/table target and routes inventory data through OpenClaw/Feishu tooling, but the artifacts do not clearly describe who controls that table, who can access it, or how data is retained.
库存搜索模块 - 通过OpenClaw飞书工具访问 数据存储在飞书多维表格中 BITABLE_APP_TOKEN = "A27gbl3lDaheavs4sFhcO1K4ngg" BITABLE_TABLE_ID = "tblOpHmJjdqqr3aD"
Use a user-owned/configurable Feishu table, clearly disclose table ownership and permissions, and document what data is read, written, retained, and visible to others.
Daily pushes may keep running until the user edits or removes the cron entry.
The daily report feature uses an OS-level cron job, which is a persistent scheduled action that can continue after the chat session ends.
crontab -e # 添加: 0 9 * * * cd /workspace/projects/workspace/skills/steel-price-query && python scripts/push_daily.py
Only add the cron job if you want persistent daily reports; verify the destination/recipient and remove the crontab entry when no longer needed.
The skill may read uploaded Excel files, write local data files, and execute its bundled scripts on the user's environment.
The skill directs the agent to run included local Python scripts for price queries and Excel inventory import; this is central to the stated purpose, but it is still local code execution.
python scripts/scrape_price.py --type 螺纹钢 --region 唐山 python scripts/inventory_excel.py import /path/to/xxx.xlsx
Review the scripts and run them with least privilege; only import files you intended to share with the skill.