Freshippo
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real Freshippo shopping helper that stops before payment, but it still uses a logged-in browser session to change cart and delivery-related account state, so it needs review.
Install only if you are comfortable letting the agent use a logged-in Freshippo browser session to prepare a cart and order preview. Do not let it complete payment, review every item, coupon, address, and delivery slot yourself, and prefer using an isolated browser profile for this task.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could access account-specific cart, coupon, delivery slot, and address-related information through the user's active session before payment.
The skill directs the agent to rely on an existing browser login/session to act in the user's Freshippo account, without a clearly declared credential boundary or isolated account scope.
Option A: User already logged in (Chrome profile) ... If user profile has active session → proceed
Use only after explicit consent, preferably in an isolated browser profile. The skill should declare logged-in session use and require confirmation before each account-affecting action.
The wrong items, quantities, coupons, delivery slot, or address could be selected in the account, even though the user still completes final payment manually.
These browser automation steps can mutate the user's shopping account/cart and select order-related options. The skill stops before payment, but it does not clearly require separate approval for each mutation.
Step 5: Order Generation (Requires login) - Add to cart - Check X会员 discounts - Select delivery slot ... Generate order preview
Require explicit user approval before adding items, applying coupons, changing quantities, choosing delivery slots, or selecting addresses, and provide an easy undo/removal path.
Shopping details, delivery timing, and possibly address-related information may appear in the agent chat context.
The skill asks the agent to surface order and account-specific shopping details into the conversation context. No persistent storage is shown, so this is a purpose-aligned context/privacy note rather than a standalone concern.
Snapshot key information: ... Available delivery slots ... Cart subtotal and delivery fee
Avoid sharing more account or address detail than needed, and redact sensitive delivery information in summaries when possible.
It is harder to verify who maintains the skill or which source repository corresponds to the published package.
The source, author, repository, and version identifiers do not fully line up across artifacts. There is no executable install code here, but provenance is less clear.
clawhub.json: "author": "harrylabsj", "repository": "https://github.com/harrylabsj/freshippo"; package.json: "author": "openclaw", "url": "https://github.com/openclaw-community/freshippo.git"; registry version: 2.0.2 vs file version: 2.0.0
Confirm the intended maintainer/source before relying on the skill, and ask the publisher to align repository, author, and version metadata.