Pantry Tracker
Security checks across malware telemetry and agentic risk
Overview
Pantry Tracker mostly matches its stated purpose, but its Supabase setup relies on an anon key while the provided schema does not define row-level access controls.
Review the Supabase security setup before installing. Add Row Level Security policies, verify you are using only an anon key, and enable the recurring email scans only if you are comfortable with the agent periodically reading grocery-order emails and storing parsed purchase details.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If RLS is not added, pantry purchase details and order references stored in Supabase may be more broadly readable or writable than the user expects.
The skill relies on anon-key/RLS containment, but the provided Supabase schema creates the pantry_items table without enabling Row Level Security or adding policies.
Use the **anon key** (not the service role key). The anon key is safe for client-side use and sufficient for all pantry operations. Never use the service role key — it bypasses Row Level Security.
Before using the anon key, add and document Row Level Security policies, ideally with per-user ownership or another clear access boundary; never use a service-role key for this client-side workflow.
Once configured, the agent may keep checking grocery emails and updating Supabase on a schedule without a fresh manual request each time.
The skill explicitly asks the user to configure recurring background tasks that continue scanning email-derived data and updating pantry state.
Set up two cron jobs in OpenClaw: **Email scanner** (every 2-4 hours): Use the agent's existing email tool ... to search for grocery order confirmations.
Only enable the cron jobs if you want ongoing automation; keep the email search narrowly filtered and know how to pause or remove the scheduled tasks.
Your grocery history and order identifiers may be retained in Supabase beyond the original email scan.
The persistent database stores grocery source and email order-reference metadata, which can reveal purchase habits.
source text, -- "whole-foods", "instacart", "costco", "manual" order_id text, -- email order reference
Use a private Supabase project, consider omitting or redacting order IDs, and define a retention or cleanup process for old pantry records.