ClawHub

Agent Commerce Engine

v1.7.1

A production-ready universal engine for Agentic Commerce. This tool enables autonomous agents to interact with any compatible headless e-commerce backend thr...

9· 3.3k·14 current·14 all-time
by@nowloady
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (commerce engine for headless stores) matches the included CLI and client library. Required binary is python3 and the single Python dependency (requests) is proportionate. Optional env vars and the documented credential path align with multi-store operation.
Instruction Scope
SKILL.md instructs the agent to call the provided Python CLI, target a store via --store (or legacy env vars), and perform commerce actions (search, cart, auth, order creation). Instructions only reference the declared local credential path and the expected API endpoints; there are no hidden files, unexplained system paths, or external endpoints unrelated to commerce backends.
Install Mechanism
This is instruction-plus-source (no remote install scripts). The metadata suggests installing 'requests' via pip — a single, common dependency appropriate for an HTTP client. There are no downloads from arbitrary URLs or archive extracts.
Credentials
No required environment variables or credentials are declared. Optional COMMERCE_URL / COMMERCE_BRAND_ID are relevant for a multi-store CLI. The code does persist tokens locally (creds.json) but only under the declared ~/.openclaw/credentials/agent-commerce-engine/<domain>/ path.
Persistence & Privilege
The skill writes per-domain credential files (creds.json and visitor.json) under ~/.openclaw/credentials/agent-commerce-engine/ and sets file mode 0600. It does not request system-wide privileges or modify other skills. Keep in mind the skill can be invoked autonomously (platform default) and will use stored tokens to call store APIs, including actions that create or modify carts and orders.
Assessment
This skill appears coherent and does what it says, but consider these practical points before installing: - Tokens are persisted as JSON under ~/.openclaw/credentials/agent-commerce-engine/<domain>/ with file mode 0600. They are not encrypted; anyone with local account access can read them. Revoke tokens on the merchant side if you suspect compromise. - The client will make HTTP requests to whatever --store URL you supply. Only point it at stores you trust. The client enforces HTTPS for non-localhost endpoints, but localhost/127.0.0.1 are allowed for dev. - Because the agent can run this skill autonomously, a misconfigured or compromised agent could perform cart modifications, create orders, or call account endpoints using saved tokens. The skill itself does not perform unexpected network exfiltration, but stored tokens give authorization to the merchant API. - Passwords are exchanged once for tokens (not persisted), which is good practice. Still avoid reusing high-value credentials and prefer revocable API tokens when available. - If you need higher assurance, review the code files yourself (provided) or run the CLI in a sandboxed environment and inspect the network requests it makes when interacting with a test store. Overall this skill is internally consistent with its description; the main risks are normal operational concerns around stored tokens and which store endpoints you allow the agent to contact.

Like a lobster shell, security has layers — review code before you run it.

latestvk976xbkq0p90xb5f6qm75z7scs82vrn3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛒 Clawdis
Binspython3

Comments