openclaw-ecommerce
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly fits its e-commerce purpose, but its price-checking code depends on missing and out-of-package helper code that should be reviewed before running it.
Review or fix the price-checking code before scheduling it. Install only if you are comfortable running npm install, keep watchlist URLs limited to public product pages, and inspect what is written under the interchange/ecommerce files before letting other agents rely on it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the price-checking path may fail or may load code outside the reviewed skill if that external local file exists, undermining trust in automated price alerts.
The price-check module references a missing in-package file and a parent-directory helper that is not present in the supplied manifest or declared dependencies.
import { addToHistory } from './price-history.js'; // I'll create this later, but for now assume.
import CircuitBreaker from '../../../interchange/src/circuit-breaker.js'; // Adjust pathMake the package self-contained: include the missing helper, declare and pin any shared dependency, avoid parent-directory imports, and add an install spec that matches the actual runtime requirements.
If an agent or user adds an unintended internal or sensitive URL to the watchlist, the skill could make a request to that address during price checks.
The price checker fetches the supplied URL directly, and the artifacts do not show URL scheme, hostname, localhost, or private-network restrictions.
export async function checkPrice(productId, url) { ... const response = await fetch(url);Only add trusted product URLs. The maintainer should validate URLs, allow only http/https, block localhost and private IP ranges, and require user approval for batch price checks.
Product and alert information may become visible to other OpenClaw agents that read interchange files.
The skill intentionally writes e-commerce state into markdown files for consumption by other agents, creating a cross-agent data boundary.
- **Interchange Files** — Publishes product and alert data as .md files for other agents to consume
Review the generated interchange files and avoid putting secrets, customer data, or highly sensitive business details in product names, URLs, alerts, or order fields.