Buy Coffee
Security checks across malware telemetry and agentic risk
Overview
This skill is coherent for coffee shopping and checkout handoff, but users should know it contacts Lobster Brew and merchant MCP services, can update shopping carts, and may remember purchase preferences.
This appears safe for its stated purpose as an instruction-only coffee-shopping helper. Before installing, be comfortable with external Lobster Brew and merchant Shopify MCP lookups, review all cart and subscription details before paying, and manage local memory if you do not want purchase preferences retained.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may create or change a merchant cart before handing you a checkout link, so quantities, products, subscription cadence, and pricing should be reviewed before payment.
The skill explicitly allows cart retrieval, cart updates, and checkout URL generation through merchant MCP tools. This is aligned with buying coffee, but it can affect shopping carts and subscription checkout details.
Use that merchant MCP for: - catalog search - product details and availability - policy questions - cart retrieval - cart updates - checkout URL generation
Use the skill for cart preparation, but confirm the cart contents and subscription terms before opening or paying through the checkout URL.
Merchant discovery and shopping-cart activity may be sent to Lobster Brew and the selected merchant's Shopify Storefront MCP endpoint.
The skill depends on an external directory returning merchant MCP URLs, then connects to those external merchant MCP services. This is disclosed and central to the skill, but it means shopping queries and cart activity flow through third-party services.
GET `lobsterbrew.com/merchants/{slug}/connect.md`
2. Read the returned merchant MCP URL
3. Connect to that merchant's Shopify Storefront MCPOnly use this skill if you are comfortable sharing coffee-shopping queries and cart details with Lobster Brew and the selected merchant.
Your coffee preferences or purchase history may be remembered and reused in later sessions.
The skill instructs the agent to persist purchase preferences and prior purchases in local memory. This supports personalization, but it creates retained context that can influence future shopping choices.
Keep preferences and prior purchases in your own local memory
Review or clear the agent's memory if you do not want coffee preferences or prior purchases retained.
The displayed package metadata may not fully match the advertised skill version.
The packaged _meta.json version differs from the registry and SKILL.md version shown as 1.2.0. This does not show malicious behavior, but it is a provenance/version consistency issue.
"version": "1.0.0"
Confirm you are installing the intended version if version provenance matters for your workflow.