← 返回 Skills 市场

Roty Tiffin Skill

Name: Roty Tiffin Skill
Author: horngtan

作者 Horng Yang Tan · GitHub ↗ · v0.1.0

cross-platform ⚠ suspicious

344

总下载

当前安装

版本数

在 OpenClaw 中安装

/install add-tiffin-order-roty-input

功能描述

Parse "Roty input" messages from authorized Telegram users to create Roty tiffin orders via HTTPS POST without UI automation.

使用说明 (SKILL.md)

name: add-tiffin-order-roty-input description: "POST-only: Parse 'Roty input' messages and create Roty orders via HTTPS POST (no Playwright/UI automation)."

Add Tiffin Order - Roty Input (POST-only)

Trigger

Run when an inbound message contains the exact phrase "Roty input" (case-insensitive).

Important

DO NOT use Playwright, browser automation, screenshots, or vision clicks.
This skill creates orders only by sending a JSON payload via HTTPS POST to: https://newdailyorderandcartcreation-818352713629.australia-southeast1.run.app

Execution (MANDATORY)

When triggered, you MUST call the dispatcher script and use its output. Do NOT manually construct curl or JSON payloads.

Run: python3 /data/.openclaw/workspace/skills/add-tiffin-order-roty-input/scripts/handle_message.py \x3Csender_id> "\x3Cfull inbound message>"

Rules:

Always POST using the dispatcher (unless it returns Missing address/dates/product).
Never hardcode perProductCost (never "[15]").
Never use hardCodedPrice for perProductCost.
perProductCost MUST come from pricing_engine.py via handle_message.py.

Authorization (Telegram)

Only allow Telegram users whose from.id is in: data/allowed_users.json under admins or vendors.
If unauthorized: reply "Not authorized."

Behavior

Parse messy input into:
- customerName
- userAddress
- deliveryDates (must resolve at least 1 date; otherwise ask a follow-up)
- product selection + modifiers
- specialRequests
Build payload in the exact API shape (see build_payload.py).
Send POST immediately (no "Dry-run vs Live" prompt), unless:
- address missing, OR
- no dates resolved, OR
- product not matched In those cases, ask only for the missing piece.
On success: confirm with cartNo.

Scripts

Dispatcher: scripts/handle_message.py
Parser: scripts/parse_roty_input.py
Matcher: scripts/match_product_and_modifiers.py
Pricing: scripts/pricing_engine.py
Payload: scripts/build_payload.py
POST sender (urllib): scripts/post_order.py
Products registry: data/products_roty.json
Allowlist: data/allowed_users.json

安全使用建议

What to check before installing or enabling this skill: 1) Remove or isolate Playwright/automation files if you intend to enforce POST-only behavior. The SKILL.md forbids UI automation but the package includes Playwright templates and scripts that would perform browser actions and type credentials — delete or audit these files. 2) Verify the hardcoded POST endpoint and the provider who controls it. This skill will send parsed customer addresses, names, phone numbers, and order details to that URL. If you do not control or trust that endpoint, do not install or run it. 3) Treat embedded plaintext credentials as potential secrets: either confirm they are dummy/test values, or rotate any real credentials and remove them from code. Search the repo for any other hardcoded secrets. 4) Decide which dry-run policy you want and make it explicit: either set DRY_RUN=1 for testing or modify handle_message.py/RULES.md so both agree. Run many DRY_RUN tests with test messages to validate parser, pricing and payload shapes before allowing live posts. 5) Review allowed_users.json and onboarding behavior. onboard_product allows OpenClaw context to bypass admin checks; ensure only trusted processes can set OPENCLAW_CONTEXT. If you rely on human admin control, limit or remove openclaw bypass. 6) Consider a code cleanup: remove unused templates, strip credentials, and document which files are authoritative for runtime. After cleanup, re-run tests and only then enable the skill for autonomous invocation. If you want higher confidence I can: (a) list every file that contains literals resembling credentials or endpoints, (b) show the exact payload shape the skill will POST for a sample message, or (c) suggest a minimal trimmed package that implements only the POST path with no automation templates.

功能分析

Type: OpenClaw Skill Name: add-tiffin-order-roty-input Version: 0.1.0 The skill bundle contains hardcoded credentials (email and password) for a 'samwisethebot' account within the automation scripts `roty_order_automation.py` and `roty_playwright_dryrun.py`. Furthermore, `onboard_product.py` includes a logic bypass where the `openclaw_context` flag allows users to skip administrative authorization checks when modifying the product database. While these appear to be functional remnants of a specific business integration (Roty Tiffin), the combination of plaintext credentials and intentional authorization bypasses represents a significant security risk.

能力评估

⚠ Purpose & Capability

The stated purpose is to parse Telegram messages and create orders via HTTPS POST, which matches the dispatcher, parser, pricing, payload builder, and post_order scripts. However the repo also contains Playwright/vision automation templates (roty_order_automation.py, roty_playwright_dryrun.py) and embedded login credentials which are outside the claimed 'POST-only / no UI automation' purpose — this is an unexpected capability and a coherence problem.

⚠ Instruction Scope

SKILL.md mandates a single entrypoint (scripts/handle_message.py) and says explicitly 'DO NOT use Playwright or browser automation'. The dispatcher and helper scripts follow that model. But several included scripts implement browser automation, take screenshots, and even type credentials; these files are not referenced by the SKILL.md execution path but remain in the package and contradict the declared runtime restrictions. Documentation also conflicts internally: SKILL.md requires immediate POST (no dry-run prompt) while RULES.md states dry-run by default.

✓ Install Mechanism

There is no install spec (instruction-only install), so nothing is downloaded or auto-installed by the manifest. That minimizes install-time risk. The only code is bundled in the skill archive; no external URLs or extraction steps are present.

⚠ Credentials

The skill declares no required environment variables, but the runtime uses DRY_RUN and OPENCLAW_CONTEXT environment variables (undocumented in requires.env). More importantly, several scripts contain hardcoded sensitive-looking values: a remote POST endpoint is hardcoded in SKILL.md and post_order.py, build_payload.py hardcodes userRef/vendorRef, and Playwright automation contains plaintext email/password and phone numbers. The embedded plaintext credentials and the external endpoint mean customer order data would be sent to an external host and that sensitive secrets are present in code — disproportionate given the stated safety rules.

✓ Persistence & Privilege

The skill does not request always:true and does not modify other skills or system-wide settings. It reads/writes only its own data files (e.g., data/allowed_users.json, products_roty.json). onboard_product allows bypass when OPENCLAW_CONTEXT is set (expected for platform-managed calls) but this is normal for admin-onboard flows.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install add-tiffin-order-roty-input
安装完成后，直接呼叫该 Skill 的名称或使用 /add-tiffin-order-roty-input 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.0

- Initial release: Adds support for parsing "Roty input" messages and creating Roty orders via HTTPS POST only. - Requires exact "Roty input" trigger phrase (case-insensitive). - Only authorized Telegram users (admins or vendors) may use this skill. - Handles messy message parsing, price calculation (via pricing_engine.py), and payload building. - Automatically POSTs orders unless required info is missing; prompts user for any missing fields. - No Playwright/browser automation; HTTPS POST only.

元数据

Slug add-tiffin-order-roty-input

版本 0.1.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题