Secure Shopper
v0.1.0Asynchronous shopping research + checkout using secure-autofill (1Password-backed browser filling) with results recorded to workspace artifacts.
⭐ 1· 442·0 current·0 all-time
byZhihao@moodykong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (shopping + 1Password-backed autofill) align with its instructions and helper scripts that browse sites, use vault_suggest/vault_fill, and record candidates. However, the packaging omits explicit declarations for the secure-autofill prerequisites (gateway env vars, non-headless Chrome) and the scripts write to a hard-coded path (/home/miles/.openclaw/workspace/...) which does not match the skill metadata (requires no config paths). The hard-coded home directory is disproportionate to a portable skill and may not be appropriate for other users or environments.
Instruction Scope
Runtime instructions direct the agent to spawn sub-agents, run browser snapshots, and call external helper tools (vault_suggest/vault_fill) to fill credentials. The SKILL.md also mandates writing task artifacts to a specific filesystem location. The instructions assume the presence of secure-autofill and gateway env vars that are not declared in the skill manifest. While the skill claims a hard gate (require user accept/deny before checkout), the capability to log in and initiate checkout via secure-autofill means sensitive credentials and shopping actions could be used — the instructions should explicitly enumerate what secrets and confirmations are required.
Install Mechanism
There is no install spec (instruction-only with small helper scripts). This is low-risk from an installer perspective because no remote downloads or archive extraction occur.
Credentials
The manifest lists no required env vars or config paths, but the SKILL.md explicitly depends on the secure-autofill skill which itself requires gateway env vars and a working non-headless Chrome. The discrepancy (no declared credentials yet runtime use of vault_fill) is a proportionality mismatch: the skill enables use of secrets (via another skill) without declaring them or documenting the required scope. The hard-coded workspace path embeds a specific user identity (miles), which is not justified by the stated purpose and reduces portability/privacy.
Persistence & Privilege
always:false and normal autonomous invocation are fine. The skill writes artifacts to disk under its artifact directory (but with a hard-coded absolute path). It does not request system-wide configuration changes or alter other skills. Spawning sub-agents is part of its advertised behavior; combined with the vault-based autofill capability this increases the blast radius if sub-agents are allowed to act without strict user confirmation, though the SKILL.md states a hard accept/deny gate before checkout.
What to consider before installing
This skill appears to do what it says (shop, use secure-autofill, save results) but has packaging and disclosure issues you should address before installing. Specifically:
- The helper scripts write artifacts to a hard-coded path (/home/miles/.openclaw/workspace/...), which reveals a user-specific path and will not work correctly for other users — ask the author to make this path configurable or relative to the current agent/workspace.
- The SKILL.md depends on a separate secure-autofill skill and mentions gateway environment variables (and a non-headless Chrome) but the manifest declares no required env vars or config paths; confirm what secrets or environment variables secure-autofill actually needs and whether those will be present and limited in scope.
- The skill uses vault_suggest/vault_fill to access credentials via secure-autofill. Verify you trust the secure-autofill implementation and understand which credentials it will expose and under what conditions (ensure explicit user confirmation before any checkout or purchase action).
- Because the skill spawns sub-agents that browse and can log in, test it in a safe/isolated environment (or with test accounts) first to confirm it respects the stated 'accept/deny' gate and doesn't place orders autonomously.
If you plan to use it: require the author to (1) remove hard-coded paths or make them configurable, (2) declare required env vars/config paths in the skill manifest, (3) document exactly what secure-autofill vault operations occur, and (4) provide a reproducible way to run onboarding that does not assume a specific home directory. If those changes are not made, treat installation as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk971yeh5m4fcmgt0w66t2059e581m1es
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛒 Clawdis