← Back to Skills Marketplace
历史基线分析
by
Xtechmerge.AI
· GitHub ↗
· v1.0.0
· MIT-0
98
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install retail-store-poscore-baseline-analysis
Description
门店历史基线分析工具。基于Agent API数据库视图,提供多周期基线+四分位分析。 核心能力: 1. 多周期基线(13周/季度、26周/半年、52周/全年、12个月) 2. 多维度分组(按星期几分组、自然周、自然月) 3. 四分位分析(P25/P50/P75,识别异常区间) 4. 基线类型(weekday按星期...
Usage Guidance
This skill appears to implement the baseline analysis it advertises, but there are red flags you should address before installing or running it in production:
- The code inserts a hard-coded absolute path (/Users/yangguangwei/...) into sys.path and imports api_client from there. Ask the publisher why this external module is required and request that api_client be bundled, replaced with a documented dependency, or imported via a relative path. Running the skill as-is could cause it to execute code outside the skill bundle if that path exists in your environment.
- query_database is called but not defined in the skill; confirm what api_client.query_database does, what credentials it uses, and whether it can access more data than intended. Prefer explicit, documented dependencies or an SDK instead of implicit imports.
- The SQL strings are built via f-strings with interpolated store_id/dates. If you or callers can pass untrusted input into store_id, this could produce unexpected SQL. Validate or sanitize inputs if you accept external values.
- Some data-fetching functions (weekly/monthly) appear unimplemented/return empty lists; test the skill with non-production data and review outputs for correctness.
If you cannot get satisfactory answers about the api_client dependency and the hard-coded path, treat the skill as risky and avoid running it in environments where that path could contain attacker-controlled code or where query_database has broad DB privileges.
Capability Analysis
Type: OpenClaw Skill
Name: retail-store-poscore-baseline-analysis
Version: 1.0.0
The skill performs retail store performance baseline analysis but contains potential SQL injection vulnerabilities in analyze.py (e.g., fetch_daily_data, fetch_weekly_data) where user-provided parameters like store_id and dates are inserted directly into SQL queries using f-strings. It also relies on a hardcoded local file path (/Users/yangguangwei/...) to import its database client, which is a poor practice but not inherently malicious.
Capability Assessment
Purpose & Capability
Name/description (store baseline analysis) match the code's functionality (fetch historical data, compute quartiles, compare current vs baseline). The dependency on an Agent API query_database function is reasonable for a DB-backed analysis tool. However, the code also modifies sys.path to a user-specific absolute path (/Users/yangguangwei/.openclaw/workspace-front-door) to import api_client, which is unusual for a distributable skill and not justified in SKILL.md.
Instruction Scope
SKILL.md describes only analysis and shows a simple Python API. The actual runtime code issues SQL queries (via query_database) built with f-strings, parses results, and returns baselines. That's within expected scope, but the SQL is constructed with unsanitized interpolation of store_id and dates (typical but worth noting). The skill reads nothing else from the system in the provided code, but it depends on an external api_client (see purpose_capability).
Install Mechanism
No install spec (instruction-only / code bundled). Nothing is downloaded or written by an installer. This is the lower-risk arrangement for skill installation.
Credentials
The skill declares no required environment variables or credentials, which superficially limits exposure. However, it forcibly adds a hard-coded absolute path to sys.path and imports api_client from outside the skill package; that external module could access credentials or agent internals at runtime. The lack of declared dependency / explanation for api_client is disproportionate and obscures what privileges the skill will use.
Persistence & Privilege
always is false and the skill does not request persistent/always-on privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other elevated flags.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install retail-store-poscore-baseline-analysis - After installation, invoke the skill by name or use
/retail-store-poscore-baseline-analysis - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: 支持多周期基线、四分位分析
Metadata
Frequently Asked Questions
What is 历史基线分析?
门店历史基线分析工具。基于Agent API数据库视图,提供多周期基线+四分位分析。 核心能力: 1. 多周期基线(13周/季度、26周/半年、52周/全年、12个月) 2. 多维度分组(按星期几分组、自然周、自然月) 3. 四分位分析(P25/P50/P75,识别异常区间) 4. 基线类型(weekday按星期... It is an AI Agent Skill for Claude Code / OpenClaw, with 98 downloads so far.
How do I install 历史基线分析?
Run "/install retail-store-poscore-baseline-analysis" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 历史基线分析 free?
Yes, 历史基线分析 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 历史基线分析 support?
历史基线分析 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 历史基线分析?
It is built and maintained by Xtechmerge.AI (@gwyang7); the current version is v1.0.0.
More Skills