Agentic Commerce — Lifestyle, Wellness, & Gifts
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: agentic-commerce-forthecult Version: 1.0.5 The skill bundle describes an agentic e-commerce interaction with a single, specified domain (forthecult.store). The documentation (SKILL.md, references/API.md, references/ERRORS.md) includes extensive and repeated security guardrails explicitly instructing the AI agent to avoid common prompt injection vectors, such as not following external URLs from error suggestions or actions, not inferring or sending identity tokens without explicit runtime provision for specific endpoints, and requiring explicit user confirmation before initiating payments. There is no evidence of intentional harmful behavior, data exfiltration, persistence mechanisms, or obfuscation. The `walletAddress` field is for a legitimate token-holder discount feature.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may help create an actual order and provide cryptocurrency payment instructions, so an incorrect item, address, chain, token, amount, or destination address could cause inconvenience or financial loss if the user pays.
The checkout API can create real purchase orders and requires customer email, shipping details, payment method, and optional wallet address. This is expected for the skill, but it is high-impact and should stay user-confirmed.
Complete field specification for creating an order. This is the core Agentic Commerce endpoint — where an agent converts product discovery into a real purchase.
Require a final user review of items, quantities, shipping address, payment chain/token, amount, and destination address before submitting checkout or instructing payment.
If API suggestions are wrong or unexpected, the agent could retry with altered queries or endpoints without asking first.
The skill tells agents to follow API-provided suggestions automatically, including retrying searches or calling suggested endpoints. This is purpose-aligned error recovery, but remote response text should not override the user's purchase intent.
agents should always check for the `error` key and use `suggestions` to auto-recover without human intervention
Allow automatic recovery for harmless searches and documented status calls only; ask the user before changing checkout fields, substitutions, quantities, payment methods, or addresses.
If a runtime supplies this identity header, the store may receive agent identity/profile context for the listed agent-only endpoints.
The skill documents an optional runtime-supplied identity token. The artifacts bound it to specific endpoints and say not to send it for normal store operations.
Identity header: `X-Moltbook-Identity` is optional and only for agent-only endpoints (`/api/agent/me`, `/api/agent/me/orders`, `/api/agent/me/preferences`)
Only attach the identity header when the runtime explicitly provides it and only for the documented agent-only endpoints.