Zepto
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a disclosed Zepto shopping automation, but it uses your logged-in browser session, cart actions, WhatsApp payment links, and local shopping history, so review each order before paying.
Use this only if you are comfortable letting OpenClaw control your logged-in Zepto browser session. Confirm address, cart contents, total, and payment link before paying; protect OTPs and payment links; and periodically review or delete the local order-history file.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or ambiguous request could change your Zepto cart or create a payment link, though the artifacts say payment remains manual.
The skill can use browser tools to add or remove cart items and initiate a checkout/payment-link flow, which is expected for the purpose but can affect a real shopping account.
It shops, generates a payment link, sends it to WhatsApp. You pay on your phone.
Require explicit confirmation of address, cart contents, total price, and payment-link sending before proceeding.
Anyone or any agent action using this skill in the same profile may act as your Zepto account until you log out or clear the session.
The skill acts through the user's logged-in Zepto browser session, giving it the same account-level ability to view addresses, manage carts, and start checkout.
Browser automation on zepto.com (your local browser, your authenticated session) ... Session cookies persist login between orders.
Use a dedicated browser profile if possible, do not share OTPs outside the expected login flow, and log out or clear the profile when you no longer want automation.
The provided code appears to use this for browser automation, but a modified copy of the skill could run different local commands.
The helper script launches the local OpenClaw CLI to drive browser commands. This is purpose-aligned, but it is still local process execution.
const proc = spawn('openclaw', args, { stdio: ['pipe', 'pipe', 'pipe'] });Install only from a trusted copy and review helper scripts before granting browser automation access.
The local file can reveal shopping patterns, and stale or modified history could influence what the agent adds to your cart.
The skill keeps persistent local shopping-history memory and uses it to choose future items automatically.
Stores order history locally in `~/.openclaw/skills/zepto/order-history.json` ... If ordered 2+ times → Auto-add your most-ordered variant
Review or delete the order-history file when needed, and ask the agent to confirm 'usual' item choices before checkout.
Sensitive page snippets could appear in local logs or transcripts if debugging output is captured or shared.
The helper logs a browser snapshot excerpt, which may include local page text such as cart, address, or account context.
console.error('DEBUG snap:', JSON.stringify(snap).substring(0, 200));Remove or disable debug snapshot logging before routine use, and avoid sharing logs from grocery/account sessions.
You have less external provenance to verify that the included scripts are the intended, maintained version.
The skill includes executable helper scripts but has limited provenance information and no homepage/source reference.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; Code file presence 4 code file(s)
Review the included files before installing and prefer a source-linked version if available.