← Back to Skills Marketplace
门店Benchmark分析
by
Xtechmerge.AI
· GitHub ↗
· v1.0.0
· MIT-0
119
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install retail-store-benchmark-analysis
Description
门店Benchmark分析工具。与集团/区域其他门店对比,分析门店等级、排名变化、件单价×连带率矩阵象限。 核心能力: 1. 多维度对比范围(集团全部、区域、省份、城市) 2. 门店等级评估(基于销售额、订单数、客单价、连带率) 3. 排名变化追踪(本期排名vs上期排名) 4. 件单价×连带率矩阵象限分析(识别门...
Usage Guidance
Do not install or run this skill until the author clarifies and fixes the inconsistencies. Specific issues to resolve: 1) The SKILL.md example calls analyze_benchmark but the code function is analyze — fix the docs or code. 2) Remove or explain the hard-coded sys.path insertion ('/Users/yangguangwei/...') — this ties the skill to a specific user's workspace and hides dependencies; the skill should import public modules or document required local modules and config paths. 3) Declare any database/API credentials or config required (host, user, password, tokens). Right now no env vars are declared yet the code calls query_database, which could access sensitive data. 4) Prevent SQL injection: avoid concatenating user inputs (scope_code, dates) directly into SQL; use parameterized queries or validate/sanitize inputs. 5) Ask the author to provide the implementation or provenance of api_client.query_database (what DB, where it connects, who can access it). Until these are addressed, treat the skill as suspicious and run it only in an isolated environment after reviewing or replacing api_client with a known-safe connector.
Capability Analysis
Type: OpenClaw Skill
Name: retail-store-benchmark-analysis
Version: 1.0.0
The skill contains a critical SQL injection vulnerability in `analyze.py` within the `fetch_stores_performance` function, where parameters such as `scope_code`, `from_date`, and `to_date` are directly interpolated into SQL strings using f-strings. Additionally, the script includes a hardcoded absolute path to a specific user's home directory (`/Users/yangguangwei/`) to import local modules, which is a significant security risk and portability flaw. While these are high-risk vulnerabilities, they appear to be unintentional coding errors rather than intentional malware.
Capability Assessment
Purpose & Capability
The skill claims to be a store benchmark analyzer and the code implements that logic, but it imports query_database from a hard-coded absolute path ('/Users/yangguangwei/.openclaw/workspace-front-door'), implying a dependency on a local API client or database connector not declared in the metadata. The manifest states no required env/config, but the code clearly depends on an external data source (database) accessed via api_client—this mismatch is unexplained and disproportionate.
Instruction Scope
SKILL.md example calls analyze_benchmark and ComparisonScope from analyze, but the actual code exposes analyze and ComparisonScope; the sample Python call uses a different function name (analyze_benchmark) which will fail. The code constructs raw SQL using user-supplied scope_code and date strings without sanitization (risk of SQL injection depending on query_database implementation). SKILL.md does not disclose the need for a database client or credentials, yet the runtime instructions (the code) will attempt DB queries.
Install Mechanism
There is no install spec (instruction-only), which is low risk, but a code file is included that will import a local module via an absolute filesystem path. Because there's no declared install step, it's unclear how query_database will be provided in other environments. This is surprising and fragile rather than a straightforward install risk.
Credentials
The skill declares no required environment variables or credentials, yet it queries a database via query_database. That likely requires DB connection configuration (credentials, hosts) provided implicitly by the imported api_client module or local environment—these are not declared. The code thus may access sensitive data without the manifest indicating required credentials, which is disproportionate and opaque.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges. It does not modify other skills or global agent settings in the provided files.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install retail-store-benchmark-analysis - After installation, invoke the skill by name or use
/retail-store-benchmark-analysis - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: 支持多维度对比、门店等级、矩阵象限分析
Metadata
Frequently Asked Questions
What is 门店Benchmark分析?
门店Benchmark分析工具。与集团/区域其他门店对比,分析门店等级、排名变化、件单价×连带率矩阵象限。 核心能力: 1. 多维度对比范围(集团全部、区域、省份、城市) 2. 门店等级评估(基于销售额、订单数、客单价、连带率) 3. 排名变化追踪(本期排名vs上期排名) 4. 件单价×连带率矩阵象限分析(识别门... It is an AI Agent Skill for Claude Code / OpenClaw, with 119 downloads so far.
How do I install 门店Benchmark分析?
Run "/install retail-store-benchmark-analysis" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 门店Benchmark分析 free?
Yes, 门店Benchmark分析 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 门店Benchmark分析 support?
门店Benchmark分析 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 门店Benchmark分析?
It is built and maintained by Xtechmerge.AI (@gwyang7); the current version is v1.0.0.
More Skills