📦 人机协作台 — 智能挖掘客户
v1.0.4用户用自然语言下达销售指令,AI自动解析任务参数,调用KocGo接口提交任务并轮询AiWa挖掘客户数据,最终生成xlsx文件返回,全程无需手动操作。
0· 247·0 当前·0 累计
by @2393970875下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Key things to verify before installing or enabling this skill:
- Clarify environment variables: SKILL.md requires DEEPSOP_API_KEY but the registry metadata lists none — confirm you must provide DEEPSOP_API_KEY and verify its scope/permissions and that it is not shared with other services.
- Understand delivery paths: SKILL.md mentions feishuChatId and automatic pushing of files/results; ask the author to explain exactly how results are delivered (does deepsop send to Feishu on your behalf, or d...详细分析 ▾
ℹ 用途与能力
The name/description, the SKILL.md, and the Python helpers are coherent: this skill parses natural-language sales requests, calls the deepsop API, and formats results into XLSX files. However the registry metadata lists no required environment variables while the SKILL.md explicitly requires DEEPSOP_API_KEY — this mismatch is inconsistent and should be clarified. The included scripts are only formatters (no network calls) and are proportionate to the described reporting functionality.
⚠ 指令范围
The SKILL.md instructs the agent to (a) parse inputs in detail, (b) call multiple deepsop endpoints, (c) generate XLSX files and (d) 'send' or 'push' results — including reacting to automated cron callbacks marked with [DeepSOP-AutoQuery] where the skill must 'immediately' perform queries and push results without user confirmation. The cron behavior (automatic, immediate execution based on input text) increases risk because a triggered event containing crafted fields (taskId, feishuChatId, etc.) will cause outbound actions. The SKILL.md references feishuChatId and other delivery fields (implying posting to external chat systems) but does not document required credentials or how delivery is authenticated — this gap is concerning for data exfiltration and delivery authorization.
✓ 安装机制
There is no install spec (instruction-only plus a few helper scripts shipped in the bundle). No network downloads or package installs are executed by the skill itself. The included Python formatting scripts only read JSON and write XLSX files locally; they do not perform networking or obfuscated behavior.
⚠ 凭证需求
The SKILL.md requires DEEPSOP_API_KEY (used as X-Api-Key) but the registry metadata declares no required env vars — an incoherence. SKILL.md also implies posting results to destinations identified in inputs (feishuChatId) but does not declare any Feishu or other messaging credentials; it's unclear whether deepsop handles delivery or whether additional secrets are required. Requesting a single deepsop API key is reasonable for the stated purpose, but the mismatch and the lack of clarity about where generated data/files are pushed is a proportionality concern.
ℹ 持久化与权限
The skill is not always:true and is user-invocable (normal). It can be invoked autonomously per platform defaults. The notable behavior is that cron-style callbacks that include [DeepSOP-AutoQuery] are supposed to trigger immediate, non-interactive processing and delivery — this is a behavioral privilege (automatic execution on event input) and combined with external push behavior increases the blast radius if inputs are untrusted.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.42026/3/19
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install deepsop-human-ai-collab
镜像加速npx clawhub@latest install deepsop-human-ai-collab --registry https://cn.longxiaskill.com