← Back to Skills Marketplace
horngtan

Roty Tiffin Skill

by Horng Yang Tan · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
344
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install add-tiffin-order-roty-input
Description
Parse "Roty input" messages from authorized Telegram users to create Roty tiffin orders via HTTPS POST without UI automation.
README (SKILL.md)

name: add-tiffin-order-roty-input description: "POST-only: Parse 'Roty input' messages and create Roty orders via HTTPS POST (no Playwright/UI automation)."

Add Tiffin Order - Roty Input (POST-only)

Trigger

Run when an inbound message contains the exact phrase "Roty input" (case-insensitive).

Important

  • DO NOT use Playwright, browser automation, screenshots, or vision clicks.
  • This skill creates orders only by sending a JSON payload via HTTPS POST to: https://newdailyorderandcartcreation-818352713629.australia-southeast1.run.app

Execution (MANDATORY)

When triggered, you MUST call the dispatcher script and use its output. Do NOT manually construct curl or JSON payloads.

Run: python3 /data/.openclaw/workspace/skills/add-tiffin-order-roty-input/scripts/handle_message.py \x3Csender_id> "\x3Cfull inbound message>"

Rules:

  • Always POST using the dispatcher (unless it returns Missing address/dates/product).
  • Never hardcode perProductCost (never "[15]").
  • Never use hardCodedPrice for perProductCost.
  • perProductCost MUST come from pricing_engine.py via handle_message.py.

Authorization (Telegram)

  • Only allow Telegram users whose from.id is in: data/allowed_users.json under admins or vendors.
  • If unauthorized: reply "Not authorized."

Behavior

  1. Parse messy input into:
    • customerName
    • userAddress
    • deliveryDates (must resolve at least 1 date; otherwise ask a follow-up)
    • product selection + modifiers
    • specialRequests
  2. Build payload in the exact API shape (see build_payload.py).
  3. Send POST immediately (no "Dry-run vs Live" prompt), unless:
    • address missing, OR
    • no dates resolved, OR
    • product not matched In those cases, ask only for the missing piece.
  4. On success: confirm with cartNo.

Scripts

  • Dispatcher: scripts/handle_message.py
  • Parser: scripts/parse_roty_input.py
  • Matcher: scripts/match_product_and_modifiers.py
  • Pricing: scripts/pricing_engine.py
  • Payload: scripts/build_payload.py
  • POST sender (urllib): scripts/post_order.py
  • Products registry: data/products_roty.json
  • Allowlist: data/allowed_users.json
Usage Guidance
What to check before installing or enabling this skill: 1) Remove or isolate Playwright/automation files if you intend to enforce POST-only behavior. The SKILL.md forbids UI automation but the package includes Playwright templates and scripts that would perform browser actions and type credentials — delete or audit these files. 2) Verify the hardcoded POST endpoint and the provider who controls it. This skill will send parsed customer addresses, names, phone numbers, and order details to that URL. If you do not control or trust that endpoint, do not install or run it. 3) Treat embedded plaintext credentials as potential secrets: either confirm they are dummy/test values, or rotate any real credentials and remove them from code. Search the repo for any other hardcoded secrets. 4) Decide which dry-run policy you want and make it explicit: either set DRY_RUN=1 for testing or modify handle_message.py/RULES.md so both agree. Run many DRY_RUN tests with test messages to validate parser, pricing and payload shapes before allowing live posts. 5) Review allowed_users.json and onboarding behavior. onboard_product allows OpenClaw context to bypass admin checks; ensure only trusted processes can set OPENCLAW_CONTEXT. If you rely on human admin control, limit or remove openclaw bypass. 6) Consider a code cleanup: remove unused templates, strip credentials, and document which files are authoritative for runtime. After cleanup, re-run tests and only then enable the skill for autonomous invocation. If you want higher confidence I can: (a) list every file that contains literals resembling credentials or endpoints, (b) show the exact payload shape the skill will POST for a sample message, or (c) suggest a minimal trimmed package that implements only the POST path with no automation templates.
Capability Analysis
Type: OpenClaw Skill Name: add-tiffin-order-roty-input Version: 0.1.0 The skill bundle contains hardcoded credentials (email and password) for a 'samwisethebot' account within the automation scripts `roty_order_automation.py` and `roty_playwright_dryrun.py`. Furthermore, `onboard_product.py` includes a logic bypass where the `openclaw_context` flag allows users to skip administrative authorization checks when modifying the product database. While these appear to be functional remnants of a specific business integration (Roty Tiffin), the combination of plaintext credentials and intentional authorization bypasses represents a significant security risk.
Capability Assessment
Purpose & Capability
The stated purpose is to parse Telegram messages and create orders via HTTPS POST, which matches the dispatcher, parser, pricing, payload builder, and post_order scripts. However the repo also contains Playwright/vision automation templates (roty_order_automation.py, roty_playwright_dryrun.py) and embedded login credentials which are outside the claimed 'POST-only / no UI automation' purpose — this is an unexpected capability and a coherence problem.
Instruction Scope
SKILL.md mandates a single entrypoint (scripts/handle_message.py) and says explicitly 'DO NOT use Playwright or browser automation'. The dispatcher and helper scripts follow that model. But several included scripts implement browser automation, take screenshots, and even type credentials; these files are not referenced by the SKILL.md execution path but remain in the package and contradict the declared runtime restrictions. Documentation also conflicts internally: SKILL.md requires immediate POST (no dry-run prompt) while RULES.md states dry-run by default.
Install Mechanism
There is no install spec (instruction-only install), so nothing is downloaded or auto-installed by the manifest. That minimizes install-time risk. The only code is bundled in the skill archive; no external URLs or extraction steps are present.
Credentials
The skill declares no required environment variables, but the runtime uses DRY_RUN and OPENCLAW_CONTEXT environment variables (undocumented in requires.env). More importantly, several scripts contain hardcoded sensitive-looking values: a remote POST endpoint is hardcoded in SKILL.md and post_order.py, build_payload.py hardcodes userRef/vendorRef, and Playwright automation contains plaintext email/password and phone numbers. The embedded plaintext credentials and the external endpoint mean customer order data would be sent to an external host and that sensitive secrets are present in code — disproportionate given the stated safety rules.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It reads/writes only its own data files (e.g., data/allowed_users.json, products_roty.json). onboard_product allows bypass when OPENCLAW_CONTEXT is set (expected for platform-managed calls) but this is normal for admin-onboard flows.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install add-tiffin-order-roty-input
  3. After installation, invoke the skill by name or use /add-tiffin-order-roty-input
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
- Initial release: Adds support for parsing "Roty input" messages and creating Roty orders via HTTPS POST only. - Requires exact "Roty input" trigger phrase (case-insensitive). - Only authorized Telegram users (admins or vendors) may use this skill. - Handles messy message parsing, price calculation (via pricing_engine.py), and payload building. - Automatically POSTs orders unless required info is missing; prompts user for any missing fields. - No Playwright/browser automation; HTTPS POST only.
Metadata
Slug add-tiffin-order-roty-input
Version 0.1.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Roty Tiffin Skill?

Parse "Roty input" messages from authorized Telegram users to create Roty tiffin orders via HTTPS POST without UI automation. It is an AI Agent Skill for Claude Code / OpenClaw, with 344 downloads so far.

How do I install Roty Tiffin Skill?

Run "/install add-tiffin-order-roty-input" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Roty Tiffin Skill free?

Yes, Roty Tiffin Skill is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Roty Tiffin Skill support?

Roty Tiffin Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Roty Tiffin Skill?

It is built and maintained by Horng Yang Tan (@horngtan); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments