ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

buyer-agent

v0.1.0

Personal AI buyer that shops for you

0· 10·0 current·0 all-time
by@hanxueyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name and description claim a 'fully autonomous buying agent' (including checkout in roadmap) but the SKILL.md contains only high-level design and web-search product discovery; it does not declare the APIs, payment hooks, or credentials that a real autonomous purchase flow would need. That mismatch is concerning because full purchasing requires sensitive credentials and clear integration points which are not listed.
!
Instruction Scope
The runtime instructions are very high-level and open-ended (activate when user mentions buying, perform research/comparison). They do not specify which services or endpoints to call, what data may be collected, or any safety/consent checks before performing purchases. This vagueness gives the agent broad discretion and could permit collection or use of sensitive information without constraints.
Install Mechanism
There is no install spec and no code files — this is instruction-only, which reduces install-time risk (nothing is downloaded or executed). However, being instruction-only also means there is no code for static analysis.
!
Credentials
The SKILL.md says 'Set up API credentials in environment variables as needed for each supported platform' but the skill metadata declares no required env vars or primary credential. That absence makes it unclear what secrets the skill will ask for and why; requesting payment or platform tokens later would be disproportionate without explicit declarations and justification.
Persistence & Privilege
The skill is not marked always:true and is user-invocable; it does not request persistent system-wide privileges in the metadata. Autonomous invocation is allowed by default, which is expected for skills but should be considered alongside the other concerns.
What to consider before installing
This skill is ambiguous about how it will actually perform purchases and what credentials it needs. Before installing or enabling it: 1) Ask the developer for a precise list of required environment variables, API endpoints, and what exact actions the agent will take (especially whether it will complete purchases or only provide links). 2) Do not provide payment or full-account credentials until you confirm least-privilege support (read-only keys or platform sandbox/test mode). Use virtual/ephemeral cards for any payment testing. 3) Require explicit opt-in/confirmation before any charge or checkout action; prefer a mode limited to search/links only. 4) Verify the publisher identity, homepage/repo, and code (if available) — instruction-only packages are harder to audit. 5) If you plan to allow purchases, insist on scoped API keys, logging of actions, and a clear privacy policy. Given the vagueness, treat this as experimental and avoid giving sensitive credentials until the integration details are clarified and minimized.

Like a lobster shell, security has layers — review code before you run it.

latestvk9704szj65jsb58dcpr9k1abv1841xg9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛒 Clawdis

SKILL.md

🛒 Buyer Agent

Personal AI buyer that shops for you

What It Does

A fully autonomous buying agent. Tell it what you need, set your budget and quality preferences, and it handles the entire purchase flow: research, comparison, selection, and providing the checkout link. Perfect for routine purchases like household supplies.

Usage

When the user mentions buying, purchasing, shopping, or looking for product deals, this skill activates to help find the best options.

Example Prompts

  • "Find me the best deal on [product]"
  • "Compare prices for [product] across platforms"
  • "Is there a coupon for [product]?"
  • "Help me buy [product] under [budget]"

Configuration

Set up API credentials in environment variables as needed for each supported platform.

Architecture

User Request → Intent Parser → Product Search API → Result Ranker → Recommendation Display

Roadmap

  • v0.1: Basic product search via web search
  • v0.2: Platform API integration
  • v0.3: Price tracking and alerts
  • v1.0: Full autonomous purchasing flow

Author

Created by hanxueyuan as part of the Agent Commerce initiative. License: MIT

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…