← 返回 Skills 市场
Paradiz
作者
keeper1978
· GitHub ↗
· v1.0.0
417
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install paradiz
功能描述
Отвечать клиентам в VK по стоимости отдыха на основе Excel-прайса. Использовать, когда нужно быстро посчитать цену по датам, количеству гостей и номеру, и вы...
安全使用建议
This skill appears to implement quoting, holds, and booking saving as described, but review these points before installing:
- Telegram notifications: the scripts will send guest PII (name, phone, email, dates, room, amount) to a Telegram chat. Confirm you want that and verify which chat ID/bot will be used.
- Undeclared credential access: the code reads /home/openclaw/.openclaw/openclaw.json to find a PARADIZ_TG_BOT_TOKEN or a global Telegram bot token. The skill registry lists no required env vars — ask the author to declare PARADIZ_TG_BOT_TOKEN and PARADIZ_TG_CHAT_ID (or document reliance on the global config) so you can control which credentials it uses.
- Data residency: the skill writes bookings and holds to files and may update SQLite DBs under the workspace; ensure those paths are acceptable and that backups are handled appropriately.
- Privacy & compliance: because customer personal data is stored and transmitted, confirm you have consent/policies in place and that the Telegram destination is trusted.
If you cannot verify the Telegram config or do not want PII sent to an external chat, do not enable notifications or run the save_booking.py with --notify, and request the author to make credential usage explicit.
功能分析
Type: OpenClaw Skill
Name: paradiz
Version: 1.0.0
The skill is classified as suspicious primarily due to a potential XML injection vulnerability in `scripts/save_booking.py`. When generating booking documents in `.docx` format from a `.dotx` template, user-controlled input (e.g., guest names, notes) is directly replaced into the XML content without proper XML escaping. This could lead to malformed documents or, in a worst-case scenario with a vulnerable document viewer, allow for XML-related attacks (e.g., XXE). Additionally, the skill handles sensitive Personally Identifiable Information (PII) such as guest names, phone numbers, and emails, storing them in local files (`data/bookings.txt`, `data/bookings.jsonl`, `data/holds.jsonl`) and transmitting them to an external Telegram API endpoint (api.telegram.org). While these actions align with the stated booking management purpose, the combination of PII handling and a document generation vulnerability warrants a 'suspicious' classification, as it presents a risk of data integrity issues or potential exploitation, even if not explicitly malicious in intent.
能力评估
Purpose & Capability
Name/description (VK replies and price calculation) align with included scripts: calc_quote, holds management, saving bookings, and syncing prices to a local DB. File operations and DB updates are proportional to a booking/quote skill.
Instruction Scope
SKILL.md instructs the agent to run local scripts to compute quotes, check availability, create holds, save bookings and send short VK replies — that matches the scripts. However the runtime behavior includes sending PII (guest name, phone, email, dates, room, amount) to Telegram as a notification, which is an external transmission of customer data and should be explicitly approved by an operator/owner.
Install Mechanism
No install spec (instruction-only skill) and all code is included in the bundle. Nothing is downloaded from external URLs or executed during install; risk from install mechanism is low.
Credentials
Registry metadata lists no required env vars, but scripts attempt to obtain Telegram credentials by reading /home/openclaw/.openclaw/openclaw.json (looking for PARADIZ_TG_BOT_TOKEN or a global channels.telegram.botToken). This access to a global agent config is not declared and broadens the skill's reach beyond its stated requirements. The skill will therefore act using credentials found in that file unless otherwise provided — the expected PARADIZ_TG_BOT_TOKEN and PARADIZ_TG_CHAT_ID are not declared in requires.env.
Persistence & Privilege
Skill is not forced-always; it does not claim to modify other skills or system-wide settings. It writes booking/holds files and updates DBs inside its workspace, and backs up test DB; these are consistent with its purpose.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install paradiz - 安装完成后,直接呼叫该 Skill 的名称或使用
/paradiz触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial upload
元数据
常见问题
Paradiz 是什么?
Отвечать клиентам в VK по стоимости отдыха на основе Excel-прайса. Использовать, когда нужно быстро посчитать цену по датам, количеству гостей и номеру, и вы... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 417 次。
如何安装 Paradiz?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install paradiz」即可一键安装,无需额外配置。
Paradiz 是免费的吗?
是的,Paradiz 完全免费(开源免费),可自由下载、安装和使用。
Paradiz 支持哪些平台?
Paradiz 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Paradiz?
由 keeper1978(@keeper1978)开发并维护,当前版本 v1.0.0。
推荐 Skills