← Back to Skills Marketplace
honor
by
johnmcgucki
· GitHub ↗
· v1.0.0
989
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install picqer-fulfillment
Description
Provides JSON API commands to fetch Picqer dashboard KPIs, picklists, stock movements, and revenue data for order fulfillment monitoring.
Usage Guidance
This package contains a Picqer dashboard implementation that will read PICQER_SUBDOMAIN and PICQER_API_KEY from environment and will start a background sync every 5 minutes. Before installing: (1) confirm the skill metadata is corrected to declare required env vars (PICQER_SUBDOMAIN, PICQER_API_KEY); (2) verify you are comfortable storing the Picqer API key in the local .env and that the runtime enforces the stated access restrictions (Tailscale); (3) accept that the skill will perform autonomous periodic network calls (cron) even when not invoked via commands; and (4) review the code yourself or run in an isolated environment to ensure no hidden exfiltration. If you want a stricter review, ask for verification that the skill will not run the cron when disabled and request the author to update SKILL.md/registry metadata to list required env vars and document the background sync.
Capability Analysis
Type: OpenClaw Skill
Name: picqer-fulfillment
Version: 1.0.0
The OpenClaw skill 'picqer-fulfillment' is designed for fetching and processing Picqer dashboard data. It securely handles API keys by loading them from environment variables via `dotenv` (`env.ts`) and uses them for authenticated requests to the Picqer API (`picqer-api.ts`). Input filters are safely incorporated into URL query parameters, preventing injection vulnerabilities. The `SKILL.md` explicitly instructs the agent to provide JSON-only responses, mitigating prompt injection risks against the agent itself. While `cron.ts` sets up a recurring task, its purpose is benign data synchronization, and no evidence of malicious execution, data exfiltration to unauthorized endpoints, or persistence mechanisms beyond its stated function was found. The markdown rendering functions in `dashboard-renderer.ts` are not intended for the agent's output, as per `SKILL.md`.
Capability Assessment
Purpose & Capability
Code implements a FutureFulfillment Picqer dashboard (fetching picklists, stock, orders) but registry metadata is sparse: the skill name is 'honor' while code/class/slug refer to a Picqer dashboard. SKILL.md documents Picqer commands, but required environment variables (PICQER_SUBDOMAIN and PICQER_API_KEY) are not declared in the registry metadata. This mismatch between declared purpose/requirements and actual code is incoherent.
Instruction Scope
SKILL.md documents a JSON-only command API and notes that API key lives in a local .env and access is via Tailscale. However, the code contains a cron.ts that starts a recurring sync every 5 minutes (auto network calls) which is not mentioned in SKILL.md. The code reads only PICQER_SUBDOMAIN and PICQER_API_KEY and calls picqer.com endpoints; there is no evidence of other data collection or external endpoints, but the background syncing is out-of-band relative to the documented commands.
Install Mechanism
There is no install spec (instruction-only in metadata) but the package includes source files and package.json with dependencies (dotenv, @openclaw/sdk). No external downloads or obscure URLs are used. The lack of an explicit install spec is unusual given the included code and package.json, but it's not directly hostile.
Credentials
The code requires PICQER_SUBDOMAIN and PICQER_API_KEY from environment (.env) but the skill's declared required env vars/primary credential fields are empty. Requesting an API key for the integrated service would be reasonable, but failing to declare them in metadata is a significant inconsistency that could hide credential requirements from users or automated checks.
Persistence & Privilege
cron.ts launches an initial sync and schedules setInterval to run every 5 minutes, causing autonomous periodic network activity whenever the skill is loaded. always:false so it's not globally forced, but the background process is not documented in SKILL.md. Combined with autonomous invocation allowed (platform default), this increases the surprise/blast radius if the skill is enabled.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install picqer-fulfillment - After installation, invoke the skill by name or use
/picqer-fulfillment - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of FutureFulfillment Picqer Dashboard v2 skill.
- Provides a JSON-only API for dashboard data with no markdown or chat explanations.
- Supports commands to fetch complete dashboard data, picklists, stock movements, and revenue per client.
- All responses are in JSON format, including structured error messages.
- Implements security via local API key and Tailscale-only access; no credentials in OpenClaw config.
Metadata
Frequently Asked Questions
What is honor?
Provides JSON API commands to fetch Picqer dashboard KPIs, picklists, stock movements, and revenue data for order fulfillment monitoring. It is an AI Agent Skill for Claude Code / OpenClaw, with 989 downloads so far.
How do I install honor?
Run "/install picqer-fulfillment" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is honor free?
Yes, honor is completely free (open-source). You can download, install and use it at no cost.
Which platforms does honor support?
honor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created honor?
It is built and maintained by johnmcgucki (@johnmcgucki); the current version is v1.0.0.
More Skills