ziniao-erp-api-doc

PassAudited by ClawScan on May 1, 2026.

Overview

This is a documentation-only skill with no code or install step, but it describes powerful ERP API operations and API-key access that users should handle carefully.

This skill appears safe to install as documentation. Before using it to implement real API calls, protect the API key, request least-privilege permissions, and review any action that deletes accounts, changes staff or roles, modifies access policies, purchases or renews devices, or handles passwords.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If a user later uses these docs to build or run API calls, mistakes could change business accounts, staff access, devices, or paid resources.

Why it was flagged

The skill documents mutating ERP operations such as account changes, device purchasing/renewal, and staff enable/disable actions. This is expected for ERP API documentation, but any generated implementation should require explicit user approval before performing these operations.

Skill content

| 账号管理 | 22 | 账号 CRUD、授权管理、标签体系、缓存清除 |
| 设备管理 | 11 | 套餐/设备购买续费、绑定解绑、自有设备管理 |
| 部门员工 | 10 | 部门 CRUD/移动、员工新增/修改/查询/启禁用 |

Recommendation

Use the skill as reference material, and require clear human confirmation for delete, purchase, renewal, role, staff, authorization, or access-policy changes.

Low

#ASI03: Identity and Privilege Abuse

What this means

A leaked or over-permissioned API key could allow unwanted ERP access or changes through the documented endpoints.

Why it was flagged

The documented API relies on a Bearer API key and specific ERP permission points. This is normal for the stated integration purpose, but it represents delegated account authority that should be tightly scoped and protected.

Skill content

**API Key 认证**：在开放平台创建"卖家自研应用"并选择"简单通用模式"获取 API Key。请求头：`Authorization: Bearer {API_Key}`。

**权限点体系**：每个接口归属一个"所属权限点"，应用需在开放平台申请开通对应权限后才能调用。

Recommendation

Store API keys securely, grant only the needed permission points, configure IP whitelisting as described, and avoid pasting real keys or passwords into chats or logs.