← 返回 Skills 市场
dsouza-anush

Salesforce AI Agentforce Observability

作者 Anush DSouza · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
81
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install sf-ai-agentforce-observability
功能描述
Agentforce session tracing extraction and analysis. TRIGGER when: user extracts STDM data from Data Cloud, analyzes agent session traces, debugs agent conver...
安全使用建议
This skill appears to implement the observability functionality it promises, but the package is poorly packaged: it includes many Python scripts and explicit auth requirements (JWT/cert and Data Cloud scopes) yet the registry metadata declares no credentials or install steps. Before installing or running: - Review scripts/auth.py and scripts/datacloud_client.py to confirm exactly which credentials, files, and endpoints are used and that all network calls target Salesforce Data Cloud endpoints. - Prepare a dedicated, least-privilege connected app / JWT keypair for this purpose (scopes: cdp_query_api, cdp_profile_api). Do NOT use high-privilege or unrelated org credentials. - Run the code in an isolated environment (virtualenv/container) and install only the declared dependencies from CREDITS.md via pip to avoid supply-chain surprises. - Because the package omits declared env vars, check whether the code reads credentials from unexpected locations (env vars, home directory paths). Ensure private keys/certs are stored with appropriate permissions and not world-readable. - If you allow the agent to invoke the skill autonomously, restrict which principals can trigger it (or require user confirmation) because autonomous execution + org credentials increases risk. If you want me to, I can inspect the full contents of scripts/auth.py and scripts/datacloud_client.py to identify exactly where credentials are loaded and which remote endpoints are called; that would materially increase confidence in this assessment.
功能分析
Type: OpenClaw Skill Name: sf-ai-agentforce-observability Version: 1.0.0 The skill bundle provides a comprehensive toolset for extracting and analyzing Salesforce Agentforce session telemetry. However, it contains significant security vulnerabilities: scripts/datacloud_client.py and scripts/extractor.py construct SQL queries using unsanitized string formatting (f-strings), which is a classic SQL injection vector. Additionally, scripts/auth.py uses subprocess.run to execute Salesforce CLI commands with the org_alias parameter, posing a potential command injection risk if the alias is user-controlled. While these appear to be unintentional design flaws rather than intentional malware, they meet the criteria for a suspicious classification due to high-risk vulnerabilities.
能力标签
cryptorequires-walletcan-make-purchasesrequires-oauth-token
能力评估
Purpose & Capability
Name/description match the included artifacts: SQL query templates, Parquet/Polars analysis scripts, Data Cloud client and JWT-based auth references. The code and docs all target Data Cloud STDM extraction and Polars-based analysis, so capabilities align with the stated purpose. However, the registry metadata claims no required credentials or env vars while the README and SKILL.md explicitly require JWT/ECA auth, certificate files, and Data Cloud scopes—this missing declaration is inconsistent.
Instruction Scope
SKILL.md and README instruct the agent to run the bundled Python scripts to extract and analyze Parquet files and to use JWT Bearer auth for Data Cloud. The runtime instructions and hooks reference local paths, metadata files, and Parquet contents (e.g., ./stdm_data, ~/.sf/jwt). I see no instructions that exfiltrate data to unknown external endpoints in the provided content, but the code will call Salesforce Data Cloud APIs (expected). Hooks read local Parquet/metadata and may suggest further actions or cross-skill handoffs. The instructions are not overly broad, but they assume access to org credentials and local files that are not declared in the registry.
Install Mechanism
There is no install spec despite a sizeable Python codebase and explicit dependency list (polars, pyarrow, pyjwt, cryptography, httpx, click, rich, pydantic). This means the skill would require manual dependency installation. No downloads from arbitrary URLs were found, but absence of an install mechanism and packaging information increases friction and risk (users might run the scripts without a controlled environment).
Credentials
The skill requires JWT Bearer auth (private key / cert) and Data Cloud scopes (cdp_query_api, cdp_profile_api) per README/SKILL.md and uses local cert paths (examples under ~/.sf/jwt). Yet the registry lists no required env vars, no primary credential, and no required config paths. That mismatch is significant: the code clearly needs sensitive org credentials / keys but the metadata omits them. The hooks/scripts also read parquet files and metadata from disk. Requesting org-level Data Cloud access is proportionate to the stated purpose, but the omission from declared requirements is a red flag.
Persistence & Privilege
always:false (good). The agent interface allows implicit invocation (allow_implicit_invocation: true), which is normal for skills. Hooks (post-tool-use scripts) will run based on tool results and can read local extraction artifacts; they do not appear to modify other skills or global agent settings. Because the skill requires org credentials, autonomous invocation combined with those credentials could increase blast radius — a consideration for operators.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install sf-ai-agentforce-observability
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /sf-ai-agentforce-observability 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial ClawHub publish.
元数据
Slug sf-ai-agentforce-observability
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Salesforce AI Agentforce Observability 是什么?

Agentforce session tracing extraction and analysis. TRIGGER when: user extracts STDM data from Data Cloud, analyzes agent session traces, debugs agent conver... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 81 次。

如何安装 Salesforce AI Agentforce Observability?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install sf-ai-agentforce-observability」即可一键安装,无需额外配置。

Salesforce AI Agentforce Observability 是免费的吗?

是的,Salesforce AI Agentforce Observability 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Salesforce AI Agentforce Observability 支持哪些平台?

Salesforce AI Agentforce Observability 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Salesforce AI Agentforce Observability?

由 Anush DSouza(@dsouza-anush)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论