← Back to Skills Marketplace

Pinkr Crm

Name: Pinkr Crm
Author: double-jin

by Double-Jin · GitHub ↗ · v0.1.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install pinkr-admin-api

Description

品氪后台 API 调用工具，用于 AI 模型自动调用品氪 CRM 系统。所有接口均为 POST，参数通过 JSON 请求体传递，包含会员查询等常用接口。

Usage Guidance

This skill appears to implement a Pinkr CRM CLI client, but packaging and instruction inconsistencies mean you should be cautious. Before installing: (1) Confirm the source and that the PINKR_ADMIN_NAME/PINKR_PASSWORD requirement in SKILL.md is intentional (registry metadata currently omits them). (2) Avoid granting it permission to read your .env or other global env files that contain unrelated secrets; prefer providing only a scoped CRM service account with minimal permissions. (3) Be aware the CLI accepts a full URL for --endpoint, which could be abused to send data to arbitrary hosts — only allow endpoints you trust (or restrict to the CRM base URL). (4) Note debug output may leak response bodies to stderr/logs; run in an isolated environment if possible. If the author fixes metadata (declares required env vars) and removes or narrows .env access (or documents it clearly), the concerns would be reduced.

Capability Analysis

Type: OpenClaw Skill Name: pinkr-admin-api Version: 0.1.0 The skill bundle is a standard API client for the Pinkr CRM system, designed to allow an AI agent to query member information. The Python code (pinkr_crm.py) and its associated formatters (member.py, system_reminder.py) implement legitimate authentication and data transformation logic, communicating only with the documented endpoint (crm.pinkr.com). No evidence of data exfiltration, malicious execution, or prompt injection was found.

Capability Assessment

ℹ Purpose & Capability

The name/description, code, and declared runtime behavior align: this is a CLI client for the Pinkr CRM that needs an admin username/password to obtain a token and call POST JSON endpoints. However the registry metadata lists no required env vars while the SKILL.md and code require PINKR_ADMIN_NAME and PINKR_PASSWORD — an inconsistency in packaging. Also the repository layout places config files under scripts/, but the runtime code expects config.json and a config/ directory in the working directory, implying the shipped files may not be read unless the packaging/working directory is adjusted.

⚠ Instruction Scope

SKILL.md allows the agent to run the Python CLI and to Read(config.json) and Read(.env). The code will attempt to read config.json/config/field_mappings.json and .env (via environment access). Allowing Read(.env) grants the skill potential access to unrelated secrets in the environment. The CLI also accepts a full URL as --endpoint, so an attacker or misuse could direct credentials or request payloads to arbitrary endpoints. The login routine prints a DEBUG_LOGIN_RESPONSE to stderr on unexpected token formats which could leak sensitive response contents into logs.

✓ Install Mechanism

No external install/downloads are requested; the skill is provided as local Python code and uses standard requests and included formatter modules. No network-based installers or obscure URLs are used. This is low-risk from an installation-origin perspective.

⚠ Credentials

Requiring PINKR_ADMIN_NAME and PINKR_PASSWORD is proportional to a CRM API client. However SKILL.md explicitly permits reading .env and config.json; reading .env can expose other unrelated secrets. The metadata listing no required env vars while SKILL.md and the code require credentials is a mismatch that should be corrected. The client will send those admin credentials (via login) to the configured base_url; if a full URL is provided it may be sent elsewhere, increasing exfiltration risk.

✓ Persistence & Privilege

The skill does not request always:true and does not attempt to persist or modify other skills or system-wide configuration. Tokens are cached only in memory for the run. Autonomous invocation is allowed (platform default) but not combined with extra persistent privileges.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install pinkr-admin-api
After installation, invoke the skill by name or use /pinkr-admin-api
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.0

Initial release of the 品氪后台 API skill (pinkr-crm): - Provides unified API access to 品氪 CRM system for AI model orchestration. - Supports login authentication, token management (with auto-retry), and error handling. - Main features: 查询会员列表 (GetCustomers) and 查询会员详情 (GetCustomer). - All API requests use JSON POST and Bearer token authentication. - Includes user-friendly CLI commands for login, API calls, cache management, and configuration display.

Metadata

Slug pinkr-admin-api

Version 0.1.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Pinkr Crm?

品氪后台 API 调用工具，用于 AI 模型自动调用品氪 CRM 系统。所有接口均为 POST，参数通过 JSON 请求体传递，包含会员查询等常用接口。 It is an AI Agent Skill for Claude Code / OpenClaw, with 87 downloads so far.

How do I install Pinkr Crm?

Run "/install pinkr-admin-api" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Pinkr Crm free?

Yes, Pinkr Crm is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Pinkr Crm support?

Pinkr Crm is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Pinkr Crm?

It is built and maintained by Double-Jin (@double-jin); the current version is v0.1.0.

More Skills