ClawHub

Buy Coffee

v1.2.0

Lobster Brew helps your OpenClaw discover coffee roasters, compare coffees, build personalized carts, and hand off a secure Shopify checkout link for you to...

0· 114·0 current·0 all-time
byAdolfo Builes@abuiles
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the SKILL.md: it queries lobsterbrew.com for directory data and then uses merchants' Shopify Storefront/MCP endpoints for catalog, cart, and checkout URL generation. The skill does not request unrelated binaries, environment variables, or credentials.
Instruction Scope
Instructions are narrowly focused on HTTP GET/POST interactions with lobsterbrew.com and merchant Shopify storefront MCP endpoints and on how to handle subscriptions, cart attributes, and handoff. This is in-scope for the stated purpose. Note: the skill will perform network requests to external domains and may use agent-local memory (preferences/prior purchases) when interacting with merchants — review what personal data the agent is allowed to send to merchant endpoints.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk writes or arbitrary code installation.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate to a directory/routing skill that hands off checkout URLs rather than completing payments.
Persistence & Privilege
always is false and the skill is user-invocable. It can be invoked autonomously (platform default), which is expected; it does not request persistent system privileges or modify other skills.
Scan Findings in Context
[no_code_files_to_scan] expected: The static scanner had no code files to analyze because this is an instruction-only skill (SKILL.md). Manual review focused on the SKILL.md content instead.
Assessment
This skill appears internally consistent, but review these practical points before installing: 1) The skill will make network calls to lobsterbrew.com and to third-party merchant Shopify storefront endpoints — only use it if you trust those domains. 2) The skill does not complete payments, but it may create carts or send preference data to merchant endpoints; avoid storing or exposing sensitive personal/payment data in the agent's memory. 3) When presented with a checkout URL, verify it is a legitimate Shopify/merchant URL in your browser before entering payment details. 4) There's a minor metadata mismatch (SKILL.md lists Version 1.2.0 while _meta.json shows 1.0.0) and the source/publisher identity is not provided — if provenance matters, verify the publisher or the lobsterbrew.com homepage before trusting long-term use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97avf8k33yfa83mc7g9wra4z183402x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments