← 返回 Skills 市场
Pinkr Crm
作者
Double-Jin
· GitHub ↗
· v0.1.0
· MIT-0
87
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install pinkr-admin-api
功能描述
品氪后台 API 调用工具,用于 AI 模型自动调用品氪 CRM 系统。所有接口均为 POST,参数通过 JSON 请求体传递,包含会员查询等常用接口。
安全使用建议
This skill appears to implement a Pinkr CRM CLI client, but packaging and instruction inconsistencies mean you should be cautious. Before installing: (1) Confirm the source and that the PINKR_ADMIN_NAME/PINKR_PASSWORD requirement in SKILL.md is intentional (registry metadata currently omits them). (2) Avoid granting it permission to read your .env or other global env files that contain unrelated secrets; prefer providing only a scoped CRM service account with minimal permissions. (3) Be aware the CLI accepts a full URL for --endpoint, which could be abused to send data to arbitrary hosts — only allow endpoints you trust (or restrict to the CRM base URL). (4) Note debug output may leak response bodies to stderr/logs; run in an isolated environment if possible. If the author fixes metadata (declares required env vars) and removes or narrows .env access (or documents it clearly), the concerns would be reduced.
功能分析
Type: OpenClaw Skill
Name: pinkr-admin-api
Version: 0.1.0
The skill bundle is a standard API client for the Pinkr CRM system, designed to allow an AI agent to query member information. The Python code (pinkr_crm.py) and its associated formatters (member.py, system_reminder.py) implement legitimate authentication and data transformation logic, communicating only with the documented endpoint (crm.pinkr.com). No evidence of data exfiltration, malicious execution, or prompt injection was found.
能力评估
Purpose & Capability
The name/description, code, and declared runtime behavior align: this is a CLI client for the Pinkr CRM that needs an admin username/password to obtain a token and call POST JSON endpoints. However the registry metadata lists no required env vars while the SKILL.md and code require PINKR_ADMIN_NAME and PINKR_PASSWORD — an inconsistency in packaging. Also the repository layout places config files under scripts/, but the runtime code expects config.json and a config/ directory in the working directory, implying the shipped files may not be read unless the packaging/working directory is adjusted.
Instruction Scope
SKILL.md allows the agent to run the Python CLI and to Read(config.json) and Read(.env). The code will attempt to read config.json/config/field_mappings.json and .env (via environment access). Allowing Read(.env) grants the skill potential access to unrelated secrets in the environment. The CLI also accepts a full URL as --endpoint, so an attacker or misuse could direct credentials or request payloads to arbitrary endpoints. The login routine prints a DEBUG_LOGIN_RESPONSE to stderr on unexpected token formats which could leak sensitive response contents into logs.
Install Mechanism
No external install/downloads are requested; the skill is provided as local Python code and uses standard requests and included formatter modules. No network-based installers or obscure URLs are used. This is low-risk from an installation-origin perspective.
Credentials
Requiring PINKR_ADMIN_NAME and PINKR_PASSWORD is proportional to a CRM API client. However SKILL.md explicitly permits reading .env and config.json; reading .env can expose other unrelated secrets. The metadata listing no required env vars while SKILL.md and the code require credentials is a mismatch that should be corrected. The client will send those admin credentials (via login) to the configured base_url; if a full URL is provided it may be sent elsewhere, increasing exfiltration risk.
Persistence & Privilege
The skill does not request always:true and does not attempt to persist or modify other skills or system-wide configuration. Tokens are cached only in memory for the run. Autonomous invocation is allowed (platform default) but not combined with extra persistent privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pinkr-admin-api - 安装完成后,直接呼叫该 Skill 的名称或使用
/pinkr-admin-api触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of the 品氪后台 API skill (pinkr-crm):
- Provides unified API access to 品氪 CRM system for AI model orchestration.
- Supports login authentication, token management (with auto-retry), and error handling.
- Main features: 查询会员列表 (GetCustomers) and 查询会员详情 (GetCustomer).
- All API requests use JSON POST and Bearer token authentication.
- Includes user-friendly CLI commands for login, API calls, cache management, and configuration display.
元数据
常见问题
Pinkr Crm 是什么?
品氪后台 API 调用工具,用于 AI 模型自动调用品氪 CRM 系统。所有接口均为 POST,参数通过 JSON 请求体传递,包含会员查询等常用接口。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 87 次。
如何安装 Pinkr Crm?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pinkr-admin-api」即可一键安装,无需额外配置。
Pinkr Crm 是免费的吗?
是的,Pinkr Crm 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Pinkr Crm 支持哪些平台?
Pinkr Crm 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Pinkr Crm?
由 Double-Jin(@double-jin)开发并维护,当前版本 v0.1.0。
推荐 Skills