📦 TTPOS Agent — 餐饮数据报表

Name: TTPOS Agent — 餐饮数据报表
Rating: 1

v1.0.1

通过 ttpos-agent API 一键拉取 TTPOS 餐饮系统营业数据，自动生成今日营业额、订单统计、支付方式、菜品排行、会员分析、班次汇总、时段分析等多维报表，使用前请先访问 GET /api/v1/query/guide 获取数据查询指南。

1· 182·0 当前·0 累计

by @bendaye (BenDaye)

数据分析 API工具自动化

下载技能包

最后更新

2026/4/21

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

The skill's declared purpose (querying TTPOS data) matches the single API key it requests, but the skill will construct and POST arbitrary SQL to a remote service of unknown provenance and includes behavior (hiding raw field names) that makes auditing harder—so proceed only after verifying the backend and limiting key scope.

评估建议

This skill is internally consistent (it needs one API key to query TTPOS), but it will construct and execute arbitrary SQL on a remote service (https://claw.doge6.com) whose source/homepage is not provided. Before installing: 1) Verify the backend service and vendor (do you trust claw.doge6.com and the owner?) and prefer an official homepage or source. 2) Only supply an API key that is scoped with least privilege (read-only, limited companies/tenants, short TTL) — do not use high-privilege or cl...

详细分析 ▾

✓ 用途与能力

Name/description say it queries TTPOS via the ttpos-agent API and the only required secret is LIGHT_BRIDGE_API_KEY — this aligns with the stated purpose.

ℹ 指令范围

SKILL.md instructs the agent to fetch a guide, list companies, construct SQL based on that guide, and POST arbitrary SQL to /api/v1/query/execute. That is coherent for a query/reporting tool, but giving the skill ability to compose and execute arbitrary SQL remotely increases data-exfiltration risk; the guidance to suppress raw field names and translate enumerations reduces transparency/auditability of returned results.

✓ 安装机制

Instruction-only skill with no install step or downloaded code — minimal installation risk.

ℹ 凭证需求

Only LIGHT_BRIDGE_API_KEY is required (plus an optional LIGHT_BRIDGE_URL). That is proportionate to a remote-API query skill. However, the single API key grants whatever access the backend exposes; there is no indication of recommended least-privilege scopes or limits.

✓ 持久化与权限

always is false and the skill is user-invocable; it does not request persistent elevated privileges or modify other skills.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.12026/3/19

ttpos-agent 1.0.1 - No file changes detected in this version. - No modifications made to documentation or code. - Functionality and usage remain unchanged from previous version.

● 可疑

安装命令

点击复制

官方npx clawhub@latest install ttpos-agent

镜像加速npx clawhub@latest install ttpos-agent --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库