Shopping List
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a local shopping-list skill with disclosed, purpose-aligned file storage and no evidence of credential use, network access, exfiltration, or destructive behavior outside its own data files.
This appears safe to install if you are comfortable with a local skill keeping shopping-list state and purchase history. Before first use, consider clearing the bundled `data/active.json`, `data/config.json`, and history files so the list starts with your own household data rather than the included sample user and items.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your name, active shopping list, and purchase history can persist across sessions and may be visible to anyone with access to the skill data folder.
The skill intentionally stores a persistent user name and shopping/purchase history for future sessions. This is expected for the stated purpose, but it means household shopping data remains in local skill files.
`user` -- Set on first interaction, persists across sessions. ... Monthly archive of purchased items.
Reset or review the `data/` files before first use, avoid putting sensitive personal details in item notes, and delete history files if you do not want purchase history retained.
The agent may run a simple local ID-generation command when adding items.
The skill may invoke a local shell command only to generate UUIDs for shopping-list items. The command is narrow, disclosed, and has a safe fallback.
`id` -- Generate via `uuidgen` in bash. If that command is unavailable, construct an ID from the current ISO timestamp...
Allow only the documented `uuidgen` use or the fallback timestamp ID generation; do not expand this into arbitrary shell execution.
A misunderstood natural-language request such as “never mind on bananas” could remove an item from the active list.
The skill includes a command that permanently removes items from the shopping list. This is purpose-aligned and local, but it is still a mutating action.
`shopping remove <item>` | Delete permanently, no archive
Use clear wording for remove and clear operations, and consider asking for confirmation before deleting important list items.