Agresource
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill mostly matches its stated purpose, but it embeds a real-looking AgResource email/password and can use that account by default, so it needs review before use.
Do not run this skill as-is. Remove the hardcoded AgResource credentials, rotate the exposed password if it is real, require your own declared environment variables, and verify the Playwright dependency and Telegram destination before use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill without setting your own credentials could log in as the embedded account, exposing that account and creating unauthorized or unintended account use.
The scraper uses a specific embedded AgResource account and password as a fallback when environment variables are absent. This exposes a credential and can cause users or agents to access a third-party account they did not explicitly configure.
const AGRESOURCE_EMAIL = process.env.AGRESOURCE_EMAIL || 'brianppetty@yahoo.com'; const AGRESOURCE_PASSWORD = process.env.AGRESOURCE_PASSWORD || '4Brynn...';
Remove the hardcoded credentials, rotate the exposed password, and require users to provide their own AGRESOURCE_EMAIL and AGRESOURCE_PASSWORD through declared credential configuration.
A user may trust the credential handling description and run the scraper without realizing it can use an embedded login.
The documentation frames login as environment-variable based, but the included code contains hardcoded fallback credentials. That mismatch can make users believe no default account credential is present.
Login: Automatic using `AGRESOURCE_EMAIL` and `AGRESOURCE_PASSWORD` env vars
Update the documentation and registry metadata to accurately declare required credentials, and ensure the implementation fails closed when credentials are missing.
The skill may not run cleanly on another machine, and users cannot verify from the artifacts exactly which Playwright package/version should be used.
The skill depends on a local Playwright installation at a personal absolute path, while the registry says there is no install spec and no required binaries. This is not malicious by itself, but it leaves dependency provenance and reproducible setup unclear.
Playwright (installed locally: `/home/brianppetty/clawd/skills/agresource/node_modules/playwright`)
Provide a package manifest or install spec with pinned dependencies and remove personal absolute paths from the user instructions.
Newsletter content and derived market advice may remain on disk and be reused in later tasks.
The skill persistently stores newsletter summaries and sentiment history for later trend analysis. This is purpose-aligned and scoped, but it retains potentially private or paid newsletter-derived content.
Store summaries in `~/clawd/memory/agresource/YYYY-MM-DD.md` ... Track sentiment history in `~/clawd/memory/agresource/sentiment_history.json`
Review the storage directory, retention expectations, and whether full newsletter text or screenshots should be saved.
Newsletter-derived summaries or sales advice may be sent outside the local environment to a Telegram chat.
The skill discloses Telegram alerts, including brief newsletter summaries. This is aligned with the stated alerting purpose, but the artifacts do not declare Telegram destination or credential configuration.
Send Telegram alerts on new sales advice
Verify the Telegram bot token and chat destination before enabling alerts, and document the exact data sent.