Inventory Waste Optimizer
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: inventory-waste-optimizer Version: 1.0.1 The skill bundle contains documentation and configuration for an inventory management agent designed for Quick Service Restaurants (QSRs). It defines business logic and safety constraints (referred to as 'ThumbGate') in SKILL.md and thumbgate-rules.md to prevent over-ordering and monitor price fluctuations. No executable code, malicious instructions, or data exfiltration patterns were identified; the setup process involves a standard dependency initialization (npx thumbgate) consistent with the tool's stated functionality.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could potentially approve or create normal inventory orders without the user reviewing every purchase, which can affect business spending and stock levels.
This shows the skill contemplates purchase-order creation/control. Combined with the declared can-make-purchases capability, the artifacts do not clearly require explicit user approval for POs that fall within the listed thresholds.
Price Jump Guard — Block the creation of POs where a vendor's unit price has increased >20% since the last cycle.
Require explicit human confirmation for every purchase or PO, set maximum spend/vendor/SKU limits, run in simulation first, and keep audit logs for all proposed and executed orders.
Granting broad spreadsheet access could expose sensitive sales and inventory data or allow unintended edits if the account permissions are too wide.
The skill needs access to primary business spreadsheets. This is purpose-aligned, but the registry declares no primary credential or required configuration paths, and the docs do not specify OAuth scopes or read/write boundaries.
Connect the agent to your primary "Sales" and "Inventory" Google Sheets.
Use least-privilege sharing, preferably a dedicated service account or restricted copies of the sheets, and confirm whether the skill needs read-only or write access.
Running an unverified setup package could modify the local agent environment in ways not visible from this skill’s artifacts.
The setup relies on an external npm package run via npx, with no pinned version or reviewed package contents included in the artifacts. It is disclosed and purpose-related, but still a supply-chain dependency users should verify.
Install ThumbGate: `npx thumbgate init --agent openclaw`
Inspect the ThumbGate package, pin a known version, verify its publisher, and run setup in a controlled environment before using it with real purchasing workflows.
Inventory, vendor, price, or order information could be sent to third-party alerting tools depending on configuration.
The optional alerting path sends events through external automation and messaging services. This is disclosed and purpose-aligned, but the artifacts do not specify what inventory/order data is shared.
Use [Make.com](https://make.com) ... to route Slack or Email alerts when ThumbGate catches an over-order.
Limit alert payloads to necessary fields, avoid including confidential vendor/pricing details, and review Make.com, Slack, and email retention/access policies.
If continuous monitoring is enabled elsewhere, it may keep processing business data beyond a single user-invoked task.
The artifact advertises continuous autonomous monitoring, but the provided files do not explain the runtime lifecycle, stop controls, or persistence mechanism.
This autonomous agent monitors your inventory 24/7
Confirm how the agent is scheduled, how to disable it, and whether it has limits on when it may read sheets or initiate purchase workflows.