Live Shopping Notes
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it says: locally record livestream shopping items and generate summaries, with no evidence of credential use, network exfiltration, or destructive behavior.
This looks safe for its stated purpose. Before installing, be aware that it saves a local history of livestream shopping notes, including item details, prices, links, and your comments.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your recorded products, prices, links, and personal notes may remain saved locally after the livestream session.
The skill persistently stores livestream shopping sessions and item notes for later retrieval, which is expected for a notes skill but creates retained local context.
this.store = new LocalStore('live-shopping-notes'); ... this.store.set(`session_${session.id}`, session);Install only if you are comfortable retaining a local shopping-note history, and clear stored sessions if the platform provides a deletion option.
The skill depends on the platform's shared storage helper to save notes.
The storage implementation is referenced from a shared path outside the two supplied skill files. This is not inherently unsafe, but it means the exact storage helper behavior is not shown in this artifact set.
const { LocalStore } = require('../../shared/storage/local-store');Prefer installing from a trusted registry/source and review platform storage controls if you need strict privacy guarantees.