← Back to Skills Marketplace
cjboy007

Order Tracker

by Jaden's built a claw · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
317
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install ssa-order-tracker
Description
Track and manage sales orders with status updates, notifications, and dashboard reporting. Supports order creation, status transitions (pending/confirmed/shi...
Usage Guidance
What to check before installing/using this skill: - SMTP credentials: send-order-notification.js loads SMTP config from ../../imap-smtp-email/.env. Confirm you have (or want to provide) SMTP_HOST/SMTP_USER/SMTP_PASS and related settings, and that you trust the imap-smtp-email skill and its .env file location. The skill metadata does not declare these env vars — treat this as a manual dependency. - File writes: update-order-status.js will modify data/orders.json (creates a .bak) and append to logs/status-changes.log. Run with --dry-run first and inspect the backup before letting it write in production. - Arbitrary paths: both update and notification scripts accept --orders-file to point to any path; only run these scripts as a user who controls the supplied file paths. Avoid running them as a privileged user or from automated agents with access to sensitive directories. - Email behavior: the notification script will connect to the SMTP host and send emails with order content (customer names/emails/order details). Verify you want these messages sent from the configured SMTP account. - Origin and trust: source/homepage are unknown. The code is readable and unsurprising, but the skill accesses another skill's .env and does network I/O. If you plan to use it, review the imap-smtp-email .env contents, run smoke tests in the repo (smoke-test.sh uses dry-run), and consider running in an isolated workspace or container first.
Capability Analysis
Type: OpenClaw Skill Name: ssa-order-tracker Version: 1.0.0 The order-tracker skill provides functionality for managing sales orders and sending customer notifications. The script `scripts/send-order-notification.js` contains a risky behavior where it performs a directory traversal to access sensitive SMTP credentials from a sibling skill's directory (`../../imap-smtp-email/.env`). While this cross-skill dependency is explicitly documented in `SKILL.md` and `README.md` as a prerequisite, it represents a security vulnerability by breaking directory isolation and assuming access to external secrets. No evidence of intentional malice, such as unauthorized data exfiltration or backdoors, was found in the code logic.
Capability Assessment
Purpose & Capability
The code implements order dashboard, status updates, and email notifications consistent with the declared purpose. However, the runtime instructions and code implicitly require SMTP credentials (for sending emails) that are not declared in the skill metadata (requires.env is empty). The README and SKILL.md point the SMTP config at a different skill's .env (imap-smtp-email), which is reasonable for email but is not reflected in the declared requirements.
Instruction Scope
Instructions and scripts operate on local data files (data/orders.json), write backups and logs (logs/status-changes.log, logs/notifications.log), and load an external .env at ../../imap-smtp-email/.env via dotenv. The notification script will connect to an external SMTP server (network I/O) and send email content. The update script accepts --orders-file and --schema-file flags allowing it to read/write arbitrary paths supplied by the caller. The agent instructions are precise but grant the runtime ability to read another skill's credentials file and modify local files — that cross-skill file access and arbitrary path support are scope concerns.
Install Mechanism
No install spec in the registry; this is an instruction-only skill with Node.js scripts and a package.json. Dependencies are limited to dotenv and nodemailer (both present in package-lock.json) and are reasonable for this functionality. No network downloads or archive extraction are used by the skill itself.
Credentials
The skill requires SMTP_HOST/SMTP_USER/SMTP_PASS (and related SMTP_* envs) at runtime to send emails — createTransporter throws if they are missing — but the registry metadata lists no required environment variables or primary credential. Instead the code loads those values from a relative .env file belonging to another skill (imap-smtp-email). Requesting access to another skill's .env without declaring this dependency is disproportionate and should be explicit. Storing SMTP credentials in a sibling skill's .env is a cross-skill secret access pattern the user should verify.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It persists data only to local files inside the skill directory by default (data/, logs/, .bak). The scripts create backups and logs, and will modify orders.json when run (unless --dry-run). This is expected for a CLI order manager; however, the ability to specify custom orders-file paths means it can be used to overwrite other files if invoked with arbitrary paths (caller-controlled), so exercise normal caution when running with elevated context.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install ssa-order-tracker
  3. After installation, invoke the skill by name or use /ssa-order-tracker
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Track and manage sales orders with status updates and notifications
Metadata
Slug ssa-order-tracker
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Order Tracker?

Track and manage sales orders with status updates, notifications, and dashboard reporting. Supports order creation, status transitions (pending/confirmed/shi... It is an AI Agent Skill for Claude Code / OpenClaw, with 317 downloads so far.

How do I install Order Tracker?

Run "/install ssa-order-tracker" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Order Tracker free?

Yes, Order Tracker is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Order Tracker support?

Order Tracker is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Order Tracker?

It is built and maintained by Jaden's built a claw (@cjboy007); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments