← 返回 Skills 市场
Order Tracker
作者
Jaden's built a claw
· GitHub ↗
· v1.0.0
· MIT-0
317
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install ssa-order-tracker
功能描述
Track and manage sales orders with status updates, notifications, and dashboard reporting. Supports order creation, status transitions (pending/confirmed/shi...
安全使用建议
What to check before installing/using this skill:
- SMTP credentials: send-order-notification.js loads SMTP config from ../../imap-smtp-email/.env. Confirm you have (or want to provide) SMTP_HOST/SMTP_USER/SMTP_PASS and related settings, and that you trust the imap-smtp-email skill and its .env file location. The skill metadata does not declare these env vars — treat this as a manual dependency.
- File writes: update-order-status.js will modify data/orders.json (creates a .bak) and append to logs/status-changes.log. Run with --dry-run first and inspect the backup before letting it write in production.
- Arbitrary paths: both update and notification scripts accept --orders-file to point to any path; only run these scripts as a user who controls the supplied file paths. Avoid running them as a privileged user or from automated agents with access to sensitive directories.
- Email behavior: the notification script will connect to the SMTP host and send emails with order content (customer names/emails/order details). Verify you want these messages sent from the configured SMTP account.
- Origin and trust: source/homepage are unknown. The code is readable and unsurprising, but the skill accesses another skill's .env and does network I/O. If you plan to use it, review the imap-smtp-email .env contents, run smoke tests in the repo (smoke-test.sh uses dry-run), and consider running in an isolated workspace or container first.
功能分析
Type: OpenClaw Skill
Name: ssa-order-tracker
Version: 1.0.0
The order-tracker skill provides functionality for managing sales orders and sending customer notifications. The script `scripts/send-order-notification.js` contains a risky behavior where it performs a directory traversal to access sensitive SMTP credentials from a sibling skill's directory (`../../imap-smtp-email/.env`). While this cross-skill dependency is explicitly documented in `SKILL.md` and `README.md` as a prerequisite, it represents a security vulnerability by breaking directory isolation and assuming access to external secrets. No evidence of intentional malice, such as unauthorized data exfiltration or backdoors, was found in the code logic.
能力评估
Purpose & Capability
The code implements order dashboard, status updates, and email notifications consistent with the declared purpose. However, the runtime instructions and code implicitly require SMTP credentials (for sending emails) that are not declared in the skill metadata (requires.env is empty). The README and SKILL.md point the SMTP config at a different skill's .env (imap-smtp-email), which is reasonable for email but is not reflected in the declared requirements.
Instruction Scope
Instructions and scripts operate on local data files (data/orders.json), write backups and logs (logs/status-changes.log, logs/notifications.log), and load an external .env at ../../imap-smtp-email/.env via dotenv. The notification script will connect to an external SMTP server (network I/O) and send email content. The update script accepts --orders-file and --schema-file flags allowing it to read/write arbitrary paths supplied by the caller. The agent instructions are precise but grant the runtime ability to read another skill's credentials file and modify local files — that cross-skill file access and arbitrary path support are scope concerns.
Install Mechanism
No install spec in the registry; this is an instruction-only skill with Node.js scripts and a package.json. Dependencies are limited to dotenv and nodemailer (both present in package-lock.json) and are reasonable for this functionality. No network downloads or archive extraction are used by the skill itself.
Credentials
The skill requires SMTP_HOST/SMTP_USER/SMTP_PASS (and related SMTP_* envs) at runtime to send emails — createTransporter throws if they are missing — but the registry metadata lists no required environment variables or primary credential. Instead the code loads those values from a relative .env file belonging to another skill (imap-smtp-email). Requesting access to another skill's .env without declaring this dependency is disproportionate and should be explicit. Storing SMTP credentials in a sibling skill's .env is a cross-skill secret access pattern the user should verify.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It persists data only to local files inside the skill directory by default (data/, logs/, .bak). The scripts create backups and logs, and will modify orders.json when run (unless --dry-run). This is expected for a CLI order manager; however, the ability to specify custom orders-file paths means it can be used to overwrite other files if invoked with arbitrary paths (caller-controlled), so exercise normal caution when running with elevated context.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install ssa-order-tracker - 安装完成后,直接呼叫该 Skill 的名称或使用
/ssa-order-tracker触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Track and manage sales orders with status updates and notifications
元数据
常见问题
Order Tracker 是什么?
Track and manage sales orders with status updates, notifications, and dashboard reporting. Supports order creation, status transitions (pending/confirmed/shi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 317 次。
如何安装 Order Tracker?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install ssa-order-tracker」即可一键安装,无需额外配置。
Order Tracker 是免费的吗?
是的,Order Tracker 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Order Tracker 支持哪些平台?
Order Tracker 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Order Tracker?
由 Jaden's built a claw(@cjboy007)开发并维护,当前版本 v1.0.0。
推荐 Skills