← 返回 Skills 市场
门店Benchmark分析
作者
Xtechmerge.AI
· GitHub ↗
· v1.0.0
· MIT-0
119
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install retail-store-benchmark-analysis
功能描述
门店Benchmark分析工具。与集团/区域其他门店对比,分析门店等级、排名变化、件单价×连带率矩阵象限。 核心能力: 1. 多维度对比范围(集团全部、区域、省份、城市) 2. 门店等级评估(基于销售额、订单数、客单价、连带率) 3. 排名变化追踪(本期排名vs上期排名) 4. 件单价×连带率矩阵象限分析(识别门...
安全使用建议
Do not install or run this skill until the author clarifies and fixes the inconsistencies. Specific issues to resolve: 1) The SKILL.md example calls analyze_benchmark but the code function is analyze — fix the docs or code. 2) Remove or explain the hard-coded sys.path insertion ('/Users/yangguangwei/...') — this ties the skill to a specific user's workspace and hides dependencies; the skill should import public modules or document required local modules and config paths. 3) Declare any database/API credentials or config required (host, user, password, tokens). Right now no env vars are declared yet the code calls query_database, which could access sensitive data. 4) Prevent SQL injection: avoid concatenating user inputs (scope_code, dates) directly into SQL; use parameterized queries or validate/sanitize inputs. 5) Ask the author to provide the implementation or provenance of api_client.query_database (what DB, where it connects, who can access it). Until these are addressed, treat the skill as suspicious and run it only in an isolated environment after reviewing or replacing api_client with a known-safe connector.
功能分析
Type: OpenClaw Skill
Name: retail-store-benchmark-analysis
Version: 1.0.0
The skill contains a critical SQL injection vulnerability in `analyze.py` within the `fetch_stores_performance` function, where parameters such as `scope_code`, `from_date`, and `to_date` are directly interpolated into SQL strings using f-strings. Additionally, the script includes a hardcoded absolute path to a specific user's home directory (`/Users/yangguangwei/`) to import local modules, which is a significant security risk and portability flaw. While these are high-risk vulnerabilities, they appear to be unintentional coding errors rather than intentional malware.
能力评估
Purpose & Capability
The skill claims to be a store benchmark analyzer and the code implements that logic, but it imports query_database from a hard-coded absolute path ('/Users/yangguangwei/.openclaw/workspace-front-door'), implying a dependency on a local API client or database connector not declared in the metadata. The manifest states no required env/config, but the code clearly depends on an external data source (database) accessed via api_client—this mismatch is unexplained and disproportionate.
Instruction Scope
SKILL.md example calls analyze_benchmark and ComparisonScope from analyze, but the actual code exposes analyze and ComparisonScope; the sample Python call uses a different function name (analyze_benchmark) which will fail. The code constructs raw SQL using user-supplied scope_code and date strings without sanitization (risk of SQL injection depending on query_database implementation). SKILL.md does not disclose the need for a database client or credentials, yet the runtime instructions (the code) will attempt DB queries.
Install Mechanism
There is no install spec (instruction-only), which is low risk, but a code file is included that will import a local module via an absolute filesystem path. Because there's no declared install step, it's unclear how query_database will be provided in other environments. This is surprising and fragile rather than a straightforward install risk.
Credentials
The skill declares no required environment variables or credentials, yet it queries a database via query_database. That likely requires DB connection configuration (credentials, hosts) provided implicitly by the imported api_client module or local environment—these are not declared. The code thus may access sensitive data without the manifest indicating required credentials, which is disproportionate and opaque.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges. It does not modify other skills or global agent settings in the provided files.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install retail-store-benchmark-analysis - 安装完成后,直接呼叫该 Skill 的名称或使用
/retail-store-benchmark-analysis触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: 支持多维度对比、门店等级、矩阵象限分析
元数据
常见问题
门店Benchmark分析 是什么?
门店Benchmark分析工具。与集团/区域其他门店对比,分析门店等级、排名变化、件单价×连带率矩阵象限。 核心能力: 1. 多维度对比范围(集团全部、区域、省份、城市) 2. 门店等级评估(基于销售额、订单数、客单价、连带率) 3. 排名变化追踪(本期排名vs上期排名) 4. 件单价×连带率矩阵象限分析(识别门... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 119 次。
如何安装 门店Benchmark分析?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install retail-store-benchmark-analysis」即可一键安装,无需额外配置。
门店Benchmark分析 是免费的吗?
是的,门店Benchmark分析 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
门店Benchmark分析 支持哪些平台?
门店Benchmark分析 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 门店Benchmark分析?
由 Xtechmerge.AI(@gwyang7)开发并维护,当前版本 v1.0.0。
推荐 Skills