by 安全扫描
OpenClaw
可疑
high confidenceThe skill's code and instructions are internally inconsistent and rely on an undisclosed local DB client (via an absolute path), which is disproportionate to the declared metadata and raises data-access and injection concerns.
评估建议
Do not install or run this skill until the author clarifies and fixes the inconsistencies. Specific issues to resolve: 1) The SKILL.md example calls analyze_benchmark but the code function is analyze — fix the docs or code. 2) Remove or explain the hard-coded sys.path insertion ('/Users/yangguangwei/...') — this ties the skill to a specific user's workspace and hides dependencies; the skill should import public modules or document required local modules and config paths. 3) Declare any database/...详细分析 ▾
⚠ 用途与能力
The skill claims to be a store benchmark analyzer and the code implements that logic, but it imports query_database from a hard-coded absolute path ('/Users/yangguangwei/.openclaw/workspace-front-door'), implying a dependency on a local API client or database connector not declared in the metadata. The manifest states no required env/config, but the code clearly depends on an external data source (database) accessed via api_client—this mismatch is unexplained and disproportionate.
⚠ 指令范围
SKILL.md example calls analyze_benchmark and ComparisonScope from analyze, but the actual code exposes analyze and ComparisonScope; the sample Python call uses a different function name (analyze_benchmark) which will fail. The code constructs raw SQL using user-supplied scope_code and date strings without sanitization (risk of SQL injection depending on query_database implementation). SKILL.md does not disclose the need for a database client or credentials, yet the runtime instructions (the code) will attempt DB queries.
ℹ 安装机制
There is no install spec (instruction-only), which is low risk, but a code file is included that will import a local module via an absolute filesystem path. Because there's no declared install step, it's unclear how query_database will be provided in other environments. This is surprising and fragile rather than a straightforward install risk.
⚠ 凭证需求
The skill declares no required environment variables or credentials, yet it queries a database via query_database. That likely requires DB connection configuration (credentials, hosts) provided implicitly by the imported api_client module or local environment—these are not declared. The code thus may access sensitive data without the manifest indicating required credentials, which is disproportionate and opaque.
✓ 持久化与权限
The skill is not always-enabled and does not request persistent privileges. It does not modify other skills or global agent settings in the provided files.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/26
Initial release: 支持多维度对比、门店等级、矩阵象限分析
● 可疑
安装命令 点击复制
官方npx clawhub@latest install retail-store-benchmark-analysis
镜像加速npx clawhub@latest install retail-store-benchmark-analysis --registry https://cn.clawhub-mirror.com
技能文档
技能名称
store-benchmark-analysis功能描述
与集团/区域其他门店对比,分析门店等级、排名变化、"件单价×连带率"矩阵象限。核心能力
1. 对比范围
- GROUP (
group) - 集团全部 - REGION (
region) - 区域(西南区等) - PROVINCE (
province) - 省份 - CITY (
city) - 城市
2. 门店等级评估
基于以下指标综合评估:- 销售额
- 订单数
- 客单价
- 连带率
3. 排名变化追踪
- 本期排名 vs 上期排名
- 排名升降分析
4. 件单价×连带率矩阵
识别门店定位:- 高件单价 × 高连带率:精品店
- 高件单价 × 低连带率:高端但连带弱
- 低件单价 × 高连带率:平价高连带
- 低件单价 × 低连带率:需全面提升
使用示例
from analyze import analyze_benchmark, ComparisonScope# 分析门店Benchmark
result = analyze_benchmark(
store_id="416759_1714379448487",
comparison_scope=ComparisonScope.REGION,
from_date="2026-03-01",
to_date="2026-03-25"
)
版本
v1.0.0 - 多维度对比、门店等级、矩阵象限分析数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制