Buy from Amazon — Search, Cart & Order for AI Agents
PassAudited by ClawScan on May 1, 2026.
Overview
This shopping skill is coherent and disclosed, but users should notice that it sends shipping and email details to buystuff.ai and can generate a real payment link.
Before installing, confirm you trust buystuff.ai with your shipping address and email, and only allow the agent to request a payment link after you have reviewed the full order details and total cost.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could cause a payment-link email to be sent, but the user must still independently open it and pay before any purchase is completed.
The skill can initiate a checkout-related action by requesting a payment link, but the artifact directs the agent to obtain explicit approval first and says no charge occurs through the API.
Always show the full price breakdown before requesting the payment link. ... You MUST get explicit user approval before requesting the payment link
Only approve the payment-link step after reviewing the item, quantity, shipping address, service fee, and total price.
Your shipping address and email are shared with the service so it can send a payment link and fulfill the order.
The artifact discloses that checkout sends personal delivery and contact information to buystuff.ai, which is expected for fulfillment but still sensitive.
data_sent: ... shipping address ... destination: https://buystuff.ai ... email address ... destination: https://buystuff.ai
Use this only if you are comfortable sharing the relevant address and email with buystuff.ai for order processing.
A retained session ID may link future requests to the same cart or shopping flow.
The skill instructs the agent to preserve a session identifier for cart continuity; this is expected for shopping but creates reusable session state.
Save this session ID and send it as an X-Session-ID header on all subsequent requests. This lets you ... Maintain continuity across the entire shopping flow
Treat session IDs as private shopping-session data and avoid reusing them outside the intended order flow.