Buyma Order Automation
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s purpose is clear, but it asks the agent to use logged-in Chrome sessions to edit BUYMA order data and send order files by email or Telegram without clear recipient, approval, or account boundaries.
Install only if you are comfortable giving the agent access to the signed-in BUYMA, Naver Mail, and Telegram workflow. Prefer a dedicated browser profile, pre-approved recipients/chats, and mandatory confirmation before editing order memos or sending any workbook.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could act as the signed-in user in BUYMA and Naver Mail, including accessing order data and sending messages from the user’s account.
The skill instructs the agent to use existing browser sessions rather than a narrowly scoped credential or profile. That grants access to logged-in BUYMA and Naver Mail accounts and potentially anything else available in the default Chrome profile.
Always use Chrome default profile for BUYMA and Naver Mail
Use a dedicated Chrome profile or scoped service account for this workflow, and require explicit user confirmation before account actions or mail sending.
A mistaken invocation or bad range could change business order records or send order workbooks without the operator reviewing the exact changes and destination.
The workflow authorizes live modification of BUYMA order memos and outbound sending of generated order files, but the artifacts do not define confirmation requirements, recipients, or a bounded send channel.
Check and input receipt memo numbers for target orders ... Send by Naver Mail in Chrome ... On BUYMA/CSV/mail failure, stop immediately and notify via Telegram with file attachment if available
Add explicit approval checkpoints for memo edits and outbound messages, define allowed recipients/channels, and require the operator to confirm the exact order range before execution.
Sensitive order details could be sent to an unintended email recipient or Telegram chat if the browser state or channel selection is wrong.
The skill sends a workbook that likely contains order/customer data through Telegram as a fallback, but the artifacts do not identify the Telegram account, chat, recipient, or data-handling boundary.
Notify via Telegram immediately - Attach output workbook in Telegram
Specify approved mail recipients and Telegram chat IDs, require confirmation before attaching files, and avoid sending customer/order data through unspecified channels.
Incorrect or poisoned memory entries could cause the agent to process the wrong order range, use the wrong file, or send results to the wrong destination.
The skill makes persistent memory/log content authoritative before acting, but MEMORY.md is not included and no trust or validation rules are defined. This is risky because later remembered text could influence live account actions.
Follow MEMORY.md and recent memory logs before acting
Treat memory and logs as untrusted operational data, not instructions; validate key details with the operator before account changes or outbound sends.