← Back to Skills Marketplace
МойСклад
by
MonsterDeveloper
· GitHub ↗
· v1.0.1
· MIT-0
75
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install moysklad
Description
МойСклад ERP — управление товарами, контрагентами, заказами, складами, остатками и документами через REST API. Используй когда нужно получить данные из МойСк...
Usage Guidance
This package appears to be a straightforward MoySklad API CLI: it only talks to https://api.moysklad.ru and the code is readable. However, the registry metadata failing to declare that the skill needs MOYSKLAD_TOKEN or MOYSKLAD_LOGIN/MOYSKLAD_PASSWORD is an important mismatch. Before installing, confirm the skill source (author/repository) and prefer using a dedicated API token (not your full account password) with minimal scope. Do not paste credentials into unknown or unverified skill portals. If possible, inspect scripts/moysklad.mjs yourself or run it in a constrained environment (e.g., a disposable account or container) to verify it only contacts api.moysklad.ru. If you manage multiple skills, ensure this skill is not granted persistent or cross-skill credentials and consider requesting the publisher update registry metadata to declare the required env vars.
Capability Analysis
Type: OpenClaw Skill
Name: moysklad
Version: 1.0.1
The skill contains a high-risk credential forwarding vulnerability in `scripts/moysklad.mjs`. The `api` function prepends the `Authorization` header (containing sensitive MoySklad tokens or passwords) to any URL provided in the `path` argument if it starts with 'http', without validating that the destination is the official `api.moysklad.ru` domain. This allows an attacker to exfiltrate credentials by tricking the AI agent into making a request to an external malicious endpoint. While the bundle appears to be a legitimate tool for MoySklad ERP management, this architectural flaw poses a significant security risk.
Capability Tags
Capability Assessment
Purpose & Capability
The skill name, description, SKILL.md, and the included Node.js CLI (scripts/moysklad.mjs) all consistently implement a MoySklad REST API helper (listing products, counterparties, orders, creating objects, direct API proxy). Functionality requested by the code is coherent with the stated purpose. However, the registry metadata claims 'Required env vars: none' while the SKILL.md and code explicitly require MOYSKLAD_TOKEN or MOYSKLAD_LOGIN + MOYSKLAD_PASSWORD — this metadata omission is an inconsistency.
Instruction Scope
Runtime instructions are narrowly scoped to authenticating to MoySklad and making REST calls (me, products, orders, create-counterparty, create-order, api proxy). The SKILL.md does not instruct the agent to read unrelated files, hostnames, or system secrets beyond the declared MoySklad credentials. The CLI code likewise only calls the MoySklad API base URL and formats output.
Install Mechanism
There is no install spec (instruction-only deployment plus bundled script). No downloads from external or untrusted URLs, no archives extracted, and the script is plain JavaScript with no obfuscation. This is low-risk from an install perspective.
Credentials
Requiring a MOYSKLAD_TOKEN or login/password is appropriate for a MoySklad integration. The concern is the registry metadata does not declare these required environment variables or mark a primary credential, meaning an agent or installer may not surface a credentials prompt or policy check — increasing the chance a user will unknowingly supply sensitive credentials. The credential types requested (API token or account password) are sensitive and should be explicitly declared in metadata.
Persistence & Privilege
The skill does not request always:true or any elevated system presence; it is user-invocable and uses standard CLI behavior. It does not modify other skills' configs or request persistent agent-wide privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install moysklad - After installation, invoke the skill by name or use
/moysklad - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Документация обновлена: из описания убрано упоминание автора, а также удалён справочник по библиотеке moysklad-ts.
- Упрощён раздел "Настройка" — установка зависимостей убрана.
- Справочный раздел теперь содержит только материалы по API, основным сущностям и примеры кода.
v1.0.0
Initial release of the moysklad skill — МойСклад ERP integration via REST API.
- Provides CLI commands to list, search, create, and update products, counterparties, orders, warehouses, and invoices.
- Supports authentication via API token or login/password.
- Includes direct API request support (GET, POST, PUT, DELETE).
- Offers quickstart usage examples and detailed CLI command documentation.
- Compatible with Node.js 18+; requires setting environment variables for authentication.
- Includes reference materials and troubleshooting for common errors.
Metadata
Frequently Asked Questions
What is МойСклад?
МойСклад ERP — управление товарами, контрагентами, заказами, складами, остатками и документами через REST API. Используй когда нужно получить данные из МойСк... It is an AI Agent Skill for Claude Code / OpenClaw, with 75 downloads so far.
How do I install МойСклад?
Run "/install moysklad" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is МойСклад free?
Yes, МойСклад is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does МойСклад support?
МойСклад is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created МойСклад?
It is built and maintained by MonsterDeveloper (@monsterdeveloper); the current version is v1.0.1.
More Skills