Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Memory for Commerce
v1.3.1Agent Memory for Commerce. Build commerce agents that remember customers, maintain transaction state across sessions, and reconcile billing context at scale...
⭐ 0· 126·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared requirements (GREENHELIX_API_KEY, REDIS_URL, WALLET_ADDRESS) align with a guide that integrates a commerce gateway and a Redis-backed memory tier. However the SKILL.md text explicitly states the GreenHelix sandbox 'provides 500 free credits — no API key required to get started' while metadata/credentials still require GREENHELIX_API_KEY; this is an inconsistency that should be clarified.
Instruction Scope
This is an instruction-only guide containing production-ready Python examples for memory, reconciliation, and payment flows. The instructions (as shown) reference only the declared env vars and the GreenHelix API; they do not instruct reading unrelated system files or hidden credentials. Still, 'production-ready code' examples that interact with payment systems and persistent storage should be reviewed for data-handling and security details before execution.
Install Mechanism
No install spec and no code files are included (instruction-only). That minimizes installation risk — nothing will be downloaded or written by the skill itself.
Credentials
The number and type of env vars requested is reasonable for the stated purpose: API key for GreenHelix, REDIS_URL for state persistence, and WALLET_ADDRESS for payment routing. Concerns: (1) the guide's claim that the sandbox requires no API key conflicts with requiring GREENHELIX_API_KEY in metadata; (2) ensure WALLET_ADDRESS is truly only a public address and not a placeholder that could encourage providing private keys or secrets.
Persistence & Privilege
The skill does not request always:true, has no install actions, and does not modify other skills or system settings. Autonomous invocation is allowed by default but not a new privilege introduced here.
What to consider before installing
This appears to be an educational guide that expects you to wire your own GreenHelix API key, Redis URL, and a wallet address. Before installing or supplying secrets: (1) Confirm why GREENHELIX_API_KEY is required despite the guide's 'no API key required' sandbox claim; (2) Never provide private keys or wallet private material—only a public address if truly needed; (3) Use a private/secured Redis instance (avoid exposing REDIS_URL to the public); (4) Review the included Python examples yourself (they're not executed by the skill) to confirm they don't log or exfiltrate sensitive customer data; (5) If you plan to run these examples against production systems, do so in a test environment and rotate any credentials afterward. If the developer cannot explain the API-key contradiction, treat the skill as untrusted for use with real credentials.Like a lobster shell, security has layers — review code before you run it.
ai-agentvk979h7grt4r88g0zbvmkrf3vp984x907contextvk979h7grt4r88g0zbvmkrf3vp984x907greenhelixvk979h7grt4r88g0zbvmkrf3vp984x907guidevk979h7grt4r88g0zbvmkrf3vp984x907latestvk979h7grt4r88g0zbvmkrf3vp984x907memoryvk979h7grt4r88g0zbvmkrf3vp984x907openclawvk979h7grt4r88g0zbvmkrf3vp984x907reconciliationvk979h7grt4r88g0zbvmkrf3vp984x907statefulvk979h7grt4r88g0zbvmkrf3vp984x907transactionsvk979h7grt4r88g0zbvmkrf3vp984x907
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvGREENHELIX_API_KEY, WALLET_ADDRESS, REDIS_URL
Primary envGREENHELIX_API_KEY