ClawHub

Scout Commerce

v1.1.0

Search for products on Amazon/shopify and buy with USDC on Solana. Swap tokens using Jupiter.

1· 1.6k·1 current·1 all-time
by@xasus1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description (search Amazon/Shopify, buy with USDC on Solana, swap via Jupiter) match the code and runtime behavior: the scripts call scout-api.trustra.xyz endpoints, Solana RPC, and Jupiter tokens metadata. No unrelated cloud credentials or surprising capabilities are requested.
Instruction Scope
SKILL.md instructs the agent to run the included Python scripts and to present images as media. The scripts only access credentials.json (for api_key and wallet), communicate with Scout API, Solana RPC, and the Jupiter tokens metadata endpoint — all within the domain of shopping and swaps. There are no instructions to read arbitrary system files or exfiltrate unrelated data.
Install Mechanism
This is instruction- and script-based (no automated install spec). A requirements.txt is provided listing packages (x402, solana, solders, base58) which, if installed, will be fetched from PyPI — a normal dependency flow but worth noting because installing Python packages pulls remote code into your environment.
Credentials
No required environment variables or external credentials are declared beyond an optional SCOUT_API_KEY. The tool legitimately needs an API key and wallet address to perform purchases and swaps; those are stored in credentials.json. No unrelated secrets (AWS, GitHub, etc.) are requested.
Persistence & Privilege
The skill writes/reads a local credentials.json to store the api_key, wallet_address, and shipping_profile (expected for a shopping agent). always:false and no global config modifications are present. Storing the API key locally is necessary for operation but increases responsibility for securing that file.
Assessment
This skill appears to do what it claims, but take these precautions before installing or using it: - Verify the API endpoint (https://scout-api.trustra.xyz) is the trusted service you intend to use. If you don't trust that server, do not register or fund the wallet. - The get_api_key flow registers you and stores an API key + wallet_address in credentials.json; keep that file private (restrict filesystem permissions) or set SCOUT_API_KEY as an environment variable instead. - Do not fund the returned wallet address with significant funds until you've audited the service and tested small amounts. - Installing requirements.txt will pull packages from PyPI (x402, solana, solders). Prefer running inside an isolated virtual environment or disposable VM/container. - Review the code yourself (or have someone you trust do so) if you plan to use it for real purchases: network calls go to scout-api.trustra.xyz, Solana RPC (api.mainnet-beta.solana.com), and Jupiter tokens metadata (tokens.jup.ag) which is expected but worth confirming. - If you want tighter control, avoid saving credentials.json and pass SCOUT_API_KEY via the environment when invoking scripts.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f49x1f1q40cqt7dv9d3b71n80h55s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments