purchase-record

Automatically parses input like "采购 <日期> <物品名称> <价格>" and records the purchase details into purchase_record.xlsx on the desktop.

This skill appears to implement the described purchase-record functionality, but there are practical and security issues to consider before installing: - Hardcoded paths: Several scripts use an absolute Windows path with a specific username. If your environment uses a different user or OS, the skill will fail or attempt to read/write an unexpected location. Prefer the record.py approach (Path.home()/Desktop) or change the path to a configurable value. - Undeclared runtime dependencies: The package includes Node and Python code and requires libraries (exceljs, openpyxl) and a Python interpreter, but the manifest declares no required binaries or install steps. Make sure you have Python, Node, and the needed packages installed, or the skill will fail. - Shell execution risk: index.js builds a shell command with the user message and runs it via exec. This can be dangerous (shell injection) if the message contains unexpected characters. Consider reviewing and sanitizing inputs or using spawn with an argument array (no shell) or invoking Python code directly via require/spawn without shell interpolation. - Data safety: The skill will create or modify purchase_record.xlsx on your Desktop and may overwrite cells. Back up any important files before using. - Code quality issues: Some scripts contain bugs/mismatches (e.g., test.js calls a non-existent handlePurchase export). The Python parser regex in add_purchase.py appears malformed. Expect potential runtime errors. Recommendation: If you want to use this skill, inspect and modify the code first: (1) fix the hardcoded path to be configurable or use Path.home(); (2) replace exec-based invocation with a safer IPC mechanism (spawn with args or call Python functions directly); (3) ensure dependency installation is documented and performed in a sandboxed environment; (4) back up the Excel file. If you are not comfortable reviewing/modifying code, do not install it in a production environment.

Type: OpenClaw Skill Name: purchase-record Version: 1.0.1 The skill contains a shell injection vulnerability in `scripts/index.js`, where user-provided input is executed via `child_process.exec` with inadequate sanitization (only escaping double quotes). Furthermore, the skill relies on highly specific, hardcoded absolute file paths targeting a particular user's desktop and workspace (e.g., `C:\Users\Administrator.rjazz-2022BWPUD\Desktop\purchase_record.xlsx`) across multiple files including `scripts/add_purchase.js`, `scripts/add_purchase.py`, and `scripts/index.js`. While these behaviors align with the stated purpose of logging data to Excel, the combination of RCE risk and environment-specific targeting is irregular and poses a security risk.