ClawHub

Strider Walmart

v1.0.0

Shop Walmart via Strider Labs MCP connector. Search products, check store inventory, add items to cart, manage pickup/delivery. Complete autonomous shopping...

0· 97·1 current·1 all-time
by@markswendsen-code
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description match the instructions: the SKILL.md documents an MCP connector for Walmart and instructs installing/running @striderlabs/mcp-walmart via npm/npx. Requesting the npx binary is proportional to this purpose.
Instruction Scope
Instructions stay within the connector scope (search, cart, checkout, inventory, OAuth flow). They do instruct installing and running a third‑party npm package and configuring an MCP client to invoke npx, but they do not ask the agent to read unrelated files or environment variables. The doc states tokens are "stored encrypted per-user" but gives no detail where/how they are stored — an implementation detail worth verifying.
!
Install Mechanism
This is an instruction-only skill but explicitly directs runtime execution of a remote npm package via npx (npx -y @striderlabs/mcp-walmart). Running npx will fetch and execute code from the npm registry on demand, which is a moderate-risk pattern because the actual code executed is not bundled with the skill and cannot be reviewed here.
Credentials
No environment variables or external credentials are declared or required in the SKILL.md; the connector uses an OAuth flow with per-user tokens, which is a reasonable design for a shopping connector. Verify where tokens are stored and encryption/rotation practices in the actual implementation.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not declare system-level config paths. It appears to run only when invoked by the MCP client and/or via the npm package it references.
Assessment
This skill appears to be a normal third‑party connector, but it relies on executing an npm package fetched at runtime via npx. Before installing or enabling it: (1) review the @striderlabs/mcp-walmart package on npm (and its repository) — check publisher, recent activity, and source code; (2) confirm where and how OAuth tokens are stored/encrypted and whether token scope is limited; (3) prefer installing and auditing the package yourself in a sandboxed environment (or run from a pinned, audited release) rather than allowing unrestricted npx downloads; (4) if you have sensitive saved payment methods, consider testing with a throwaway account first. If you cannot review the npm package or verify the maintainer, treat the runtime npx execution as a material risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk976h9rhkvbaja4kds41vhhs1d836g0h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnpx

Comments