PDD Shopping
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: pdd-shopping Version: 2.1.0 The PDD Shopping skill is a well-structured assistant designed to help users navigate Pinduoduo deals, group buys, and subsidies. It contains clear safety boundaries, explicitly instructing the agent to stop before any payment or irreversible order submission and to request user consent before performing actions that require authentication. The browser automation logic in SKILL.md and references/browser-workflow.md is strictly aligned with the stated purpose of product discovery and cart management, with no evidence of data exfiltration, malicious execution, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If allowed in a logged-in session, the agent may change the cart or advance a shopping flow up to the order-preview stage, though the artifacts say it must not pay or submit the final order.
The browser workflow documents clicks that can add items to a cart, start or join a group-buy flow, and proceed to checkout preview. These are purpose-aligned shopping actions, but they affect a third-party account state and should remain supervised.
browser.click(".add-cart-btn") ... browser.click(".group-buy-btn") ... browser.click(".checkout-btn")Keep browser actions supervised and require explicit confirmation before add-to-cart, group-buy, coupon, or checkout-preview clicks.
The agent may view or act within a logged-in Pinduoduo session for cart, coupons, group-buy, and order-preview checks.
The skill discloses that several operations require authenticated Pinduoduo access, while final payment is explicitly blocked. This is expected for shopping assistance but involves delegated account privileges.
| Add to cart | Required | ... | Coupon check | Required | ... | Group action | Required | ... | Payment | Blocked |
Use public browsing when possible, only log in when necessary, and avoid exposing unrelated account pages or personal details.
It may be harder to independently verify who authored or maintains the skill.
The registry metadata does not identify a verified source. Because this is instruction-only with no code or install script, this is a provenance notice rather than evidence of unsafe behavior.
Source: unknown
Install from a trusted registry page and review the visible instructions before granting any logged-in browser access.