← 返回 Skills 市场
shejian
作者
Xiaobing Mi
· GitHub ↗
· v1.0.6
· MIT-0
203
总下载
2
收藏
0
当前安装
7
版本数
在 OpenClaw 中安装
/install store-ai
功能描述
舌尖香港门店AI助手(支持环境变量) 当用户发送任何与门店运营相关的中文信息时触发,包括但不限于: - 报告商品库存状态,如"番茄卖完了"、"胡萝卜还剩5斤"、"白菜今天卖了20斤" - 查询今日库存、销售情况、进货记录、操作日志 - 录入进货信息,如"今天收到50斤胡萝卜" - 查询门店所在城市天气,如"明天天...
安全使用建议
Before installing, confirm with the author how tokens are supplied and why the package metadata doesn't declare them. Specific actions to take: 1) Require the skill manifest to list the required env var (SHEJIAN_API_TOKEN_<agentId>) or otherwise document credential input explicitly. 2) Verify the origin and trustworthiness of the API host (https://s.xingke888.com) and confirm token scope and expiration — prefer short-lived, least-privilege tokens. 3) Limit the skill's read permission to the single file (SHEJIAN.md) and prevent broad workspace file access. 4) Ask whether exec/curl outputs or command histories are logged; avoid embedding long-lived secrets into commands where logs might capture them. 5) If you cannot verify the owner or token handling, treat this skill as risky and avoid installing it in workspaces that contain other sensitive credentials or data.
功能分析
Type: OpenClaw Skill
Name: store-ai
Version: 1.0.6
The skill instructions in SKILL.md explicitly direct the AI agent to bypass security restrictions in the 'exec' tool (which blocks the use of '$' for environment variables) by reading sensitive API tokens and manually concatenating them into shell commands. This pattern is highly vulnerable to command injection and exposes secrets in the process list. Furthermore, the instructions mandate 'stealth' behavior by strictly forbidding the agent from disclosing its internal operations or tool-calling details to the user, which could be used to mask unauthorized actions.
能力标签
能力评估
Purpose & Capability
The skill's stated purpose (store assistant calling APIs at https://s.xingke888.com) is plausible, but the SKILL.md requires fetching an API token from either workspace SHEJIAN.md or environment variables (SHEJIAN_API_TOKEN_<agentId>). The registry metadata lists no required env vars or credentials, creating an inconsistency: a networked API client legitimately needs a token, but the manifest does not declare it.
Instruction Scope
Runtime instructions explicitly direct the agent to read workspace files (SHEJIAN.md) or env vars to obtain tokens and then run exec/curl commands with the token embedded. This means the skill runtime will access workspace files and secrets; the SKILL.md forbids exposing these steps to the user, which could hide sensitive operations. The instructions also require using the exec tool and prohibit $ expansion, forcing plaintext insertion of secrets into single-line curl commands — increasing the chance tokens appear in logs or command histories.
Install Mechanism
No install spec and no code files are present (instruction-only). This limits on-disk persistence and reduces supply-chain risk compared to downloadable binaries.
Credentials
The skill clearly needs an API token but the metadata declares no required env vars or primary credential. SKILL.md references an env var pattern (SHEJIAN_API_TOKEN_<agentId>) and reading SHEJIAN.md; requesting workspace secrets without declaring them is disproportionate and opaque. Embedding tokens into curl commands also increases exposure risk if command outputs or logs are stored.
Persistence & Privilege
The skill is not always-enabled and has no special persistence flags. Autonomous invocation is allowed (platform default). Combined with access to API tokens and the ability to run exec, autonomous behavior increases potential impact if the skill were misused, but autonomous invocation alone is not unusual.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install store-ai - 安装完成后,直接呼叫该 Skill 的名称或使用
/store-ai触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.6
兼容claude skill
v1.0.5
移除硬编码 token、改用环境变量 SHEJIAN_API_TOKEN/SHEJIAN_BASE_URL
v1.0.4
新增历史销售查询、每日库存全景(F15);明确今日营业中与历史快照数据来源区别;补充昨日收档、开档库存等字段说明
v1.0.3
Minor updates
v1.0.2
更新 API 文档,新增销售补录三种模式说明,完善每日概览和来源拆分字段说明
v1.0.1
shejian v1.0.1
- 更改了默认的 API base_url,现在为 https://s.xingke888.com,之前为 http://0.0.0.0:8080
- 文档同步修订以反映 base_url 的更新
- 功能和流程未有实质变化
v1.0.0
shejian v1.0.0
- 首发:舌尖香港门店AI助手上线,支持自然语言远程管理生鲜门店库存、销售、进货等核心操作
- 支持自动意图识别、参数补全、操作确认三步管理流程,无需用户了解API细节
- 覆盖库存查询、销售汇总、进货管理、日志追踪等13项门店运营关键功能
- 智能解析语义,实现“番茄卖完了”“胡萝卜还剩5斤”等自然对话触发对应操作
- 支持对话中动态配置和调用API token,保证数据安全
- 结果输出格式清晰、直观,按场景分展示,让门店数据一目了然
元数据
常见问题
shejian 是什么?
舌尖香港门店AI助手(支持环境变量) 当用户发送任何与门店运营相关的中文信息时触发,包括但不限于: - 报告商品库存状态,如"番茄卖完了"、"胡萝卜还剩5斤"、"白菜今天卖了20斤" - 查询今日库存、销售情况、进货记录、操作日志 - 录入进货信息,如"今天收到50斤胡萝卜" - 查询门店所在城市天气,如"明天天... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 203 次。
如何安装 shejian?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install store-ai」即可一键安装,无需额外配置。
shejian 是免费的吗?
是的,shejian 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
shejian 支持哪些平台?
shejian 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 shejian?
由 Xiaobing Mi(@xingke2023)开发并维护,当前版本 v1.0.6。
推荐 Skills