Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes platform API integration and says "Set up API credentials in environment variables as needed," yet the registry metadata declares no required environment variables, credentials, or platform-specific configuration. A checkout capability reasonably needs named credentials or OAuth flows for the stores it will interact with; the absence of those declarations is inconsistent.
Instruction Scope
Instructions are high-level and permit broad behavior (web searches, product comparisons, applying promo codes). They do not name data sources, APIs, or exactly what the agent may read or transmit. The activation rule ('when the user mentions buying') is broad. This vagueness gives the agent wide discretion, which can lead to unintended access or use of credentials unless constrained.
Install Mechanism
No install spec and no code files — the skill is instruction-only, so it does not write binaries or execute downloaded code during installation. From an install perspective this is low risk.
Credentials
The skill's text explicitly asks the user to "Set up API credentials in environment variables as needed," but the metadata lists no env vars or primary credential. That mismatch means the skill could later request arbitrary sensitive keys (payment, platform tokens) without having declared them up front — disproportionate and unclear.
Persistence & Privilege
The skill does not request always-on presence (always:false) and uses default autonomous invocation behavior. There is no indication it modifies other skills or system-wide settings. Autonomous invocation is permitted by default but does increase blast radius when combined with other concerns noted above.
What to consider before installing
Before installing, ask the author to list exactly which platforms are supported and the precise environment variables or OAuth flows required (names and scopes). Refuse to provide payment credentials or full-account API keys until you understand how they're stored and used. Prefer skills that use explicit OAuth flows (with limited scopes) rather than asking you to drop secrets into environment variables. If you enable this skill, require manual confirmation before any purchase action and avoid granting it autonomous purchasing rights. If the author cannot provide concrete integration details and a security model for credentials, treat the skill as risky and do not enable it for sensitive transactions.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛒 Clawdis
SKILL.md
🛒 Checkout Agent
Automated checkout processing
What It Does
Streamlines the checkout process for AI-mediated purchases. Validates shipping addresses, compares delivery options and costs, applies promotional codes, and presents a final order summary for user confirmation before purchase completion.
Usage
When the user mentions buying, purchasing, shopping, or looking for product deals, this skill activates to help find the best options.
Example Prompts
- "Find me the best deal on [product]"
- "Compare prices for [product] across platforms"
- "Is there a coupon for [product]?"
- "Help me buy [product] under [budget]"
Configuration
Set up API credentials in environment variables as needed for each supported platform.
Architecture
User Request → Intent Parser → Product Search API → Result Ranker → Recommendation Display
Roadmap
- v0.1: Basic product search via web search
- v0.2: Platform API integration
- v0.3: Price tracking and alerts
- v1.0: Full autonomous purchasing flow
Author
Created by hanxueyuan as part of the Agent Commerce initiative. License: MIT
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…