Zinc Universal Checkout
v1.0.1Place, list, and retrieve orders via the Zinc API (zinc.com). Use when the user wants to buy a product from an online retailer, check order status, list recent orders, or anything involving the Zinc e-commerce ordering API. Requires ZINC_API_KEY environment variable.
⭐ 2· 947·0 current·0 all-time
by@a5huynh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's stated purpose (placing/listing/retrieving orders via Zinc) matches the instructions which call https://api.zinc.com and require a ZINC_API_KEY. However, the registry metadata in the package lists no required env vars / primary credential while both SKILL.md and README.md clearly say ZINC_API_KEY is required — metadata omission is an inconsistency to be aware of.
Instruction Scope
SKILL.md only describes Zinc API endpoints (POST /orders, GET /orders) and includes example curl, error handling, and polling instructions. It also instructs the agent to schedule cron-like checks and 'announce' results to a channel; that is consistent with asynchronous order processing but means the agent will use platform scheduling/messaging features — confirm you expect that behavior. The skill explicitly requires user confirmation before placing orders, which is good practice.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk distribution model (nothing is downloaded or written by an installer).
Credentials
Only a single credential (ZINC_API_KEY) is needed according to SKILL.md/README, which is proportional to the stated purpose. Note: README documents an option to embed the key into an OpenClaw config (~/.openclaw/openclaw.json) instead of using an environment variable — storing secrets in plaintext config files increases risk and should be avoided if possible. Also note the package metadata failing to declare required env var is an administrative inconsistency.
Persistence & Privilege
Skill does not request always:true or any elevated platform privilege. It includes instructions to schedule follow-up checks using the agent's scheduler/messaging mechanisms, which is reasonable for async order tracking but means the agent will create scheduled tasks/announcements if allowed — ensure your agent's scheduler permissions are constrained as you expect.
Assessment
This skill is internally consistent with its stated purpose of interacting with the Zinc API and is instruction-only (no install or code), but check these before installing: 1) Provide a ZINC_API_KEY from app.zinc.com; prefer setting it as an environment variable rather than embedding it in ~/.openclaw/openclaw.json or other plaintext files. 2) Confirm the agent will always ask the user before POSTing orders (SKILL.md says it should) — if your agent can act autonomously, restrict that when money is involved. 3) Be aware the skill schedules follow-up checks and posts announcements to channels; if you don't want automated messages, limit the agent's scheduler/messaging permissions. 4) The package metadata omitted the required env var — verify the runtime will actually be given the API key (and not left unset). If you need stronger assurance, ask the skill author for a signed/official source or a repository link.Like a lobster shell, security has layers — review code before you run it.
latestvk973egtjsnbzv4ycwzdz76s24d810adg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.