← 返回 Skills 市场
МойСклад
作者
MonsterDeveloper
· GitHub ↗
· v1.0.1
· MIT-0
75
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install moysklad
功能描述
МойСклад ERP — управление товарами, контрагентами, заказами, складами, остатками и документами через REST API. Используй когда нужно получить данные из МойСк...
安全使用建议
This package appears to be a straightforward MoySklad API CLI: it only talks to https://api.moysklad.ru and the code is readable. However, the registry metadata failing to declare that the skill needs MOYSKLAD_TOKEN or MOYSKLAD_LOGIN/MOYSKLAD_PASSWORD is an important mismatch. Before installing, confirm the skill source (author/repository) and prefer using a dedicated API token (not your full account password) with minimal scope. Do not paste credentials into unknown or unverified skill portals. If possible, inspect scripts/moysklad.mjs yourself or run it in a constrained environment (e.g., a disposable account or container) to verify it only contacts api.moysklad.ru. If you manage multiple skills, ensure this skill is not granted persistent or cross-skill credentials and consider requesting the publisher update registry metadata to declare the required env vars.
功能分析
Type: OpenClaw Skill
Name: moysklad
Version: 1.0.1
The skill contains a high-risk credential forwarding vulnerability in `scripts/moysklad.mjs`. The `api` function prepends the `Authorization` header (containing sensitive MoySklad tokens or passwords) to any URL provided in the `path` argument if it starts with 'http', without validating that the destination is the official `api.moysklad.ru` domain. This allows an attacker to exfiltrate credentials by tricking the AI agent into making a request to an external malicious endpoint. While the bundle appears to be a legitimate tool for MoySklad ERP management, this architectural flaw poses a significant security risk.
能力标签
能力评估
Purpose & Capability
The skill name, description, SKILL.md, and the included Node.js CLI (scripts/moysklad.mjs) all consistently implement a MoySklad REST API helper (listing products, counterparties, orders, creating objects, direct API proxy). Functionality requested by the code is coherent with the stated purpose. However, the registry metadata claims 'Required env vars: none' while the SKILL.md and code explicitly require MOYSKLAD_TOKEN or MOYSKLAD_LOGIN + MOYSKLAD_PASSWORD — this metadata omission is an inconsistency.
Instruction Scope
Runtime instructions are narrowly scoped to authenticating to MoySklad and making REST calls (me, products, orders, create-counterparty, create-order, api proxy). The SKILL.md does not instruct the agent to read unrelated files, hostnames, or system secrets beyond the declared MoySklad credentials. The CLI code likewise only calls the MoySklad API base URL and formats output.
Install Mechanism
There is no install spec (instruction-only deployment plus bundled script). No downloads from external or untrusted URLs, no archives extracted, and the script is plain JavaScript with no obfuscation. This is low-risk from an install perspective.
Credentials
Requiring a MOYSKLAD_TOKEN or login/password is appropriate for a MoySklad integration. The concern is the registry metadata does not declare these required environment variables or mark a primary credential, meaning an agent or installer may not surface a credentials prompt or policy check — increasing the chance a user will unknowingly supply sensitive credentials. The credential types requested (API token or account password) are sensitive and should be explicitly declared in metadata.
Persistence & Privilege
The skill does not request always:true or any elevated system presence; it is user-invocable and uses standard CLI behavior. It does not modify other skills' configs or request persistent agent-wide privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install moysklad - 安装完成后,直接呼叫该 Skill 的名称或使用
/moysklad触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Документация обновлена: из описания убрано упоминание автора, а также удалён справочник по библиотеке moysklad-ts.
- Упрощён раздел "Настройка" — установка зависимостей убрана.
- Справочный раздел теперь содержит только материалы по API, основным сущностям и примеры кода.
v1.0.0
Initial release of the moysklad skill — МойСклад ERP integration via REST API.
- Provides CLI commands to list, search, create, and update products, counterparties, orders, warehouses, and invoices.
- Supports authentication via API token or login/password.
- Includes direct API request support (GET, POST, PUT, DELETE).
- Offers quickstart usage examples and detailed CLI command documentation.
- Compatible with Node.js 18+; requires setting environment variables for authentication.
- Includes reference materials and troubleshooting for common errors.
元数据
常见问题
МойСклад 是什么?
МойСклад ERP — управление товарами, контрагентами, заказами, складами, остатками и документами через REST API. Используй когда нужно получить данные из МойСк... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 75 次。
如何安装 МойСклад?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install moysklad」即可一键安装,无需额外配置。
МойСклад 是免费的吗?
是的,МойСклад 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
МойСклад 支持哪些平台?
МойСклад 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 МойСклад?
由 MonsterDeveloper(@monsterdeveloper)开发并维护,当前版本 v1.0.1。
推荐 Skills