Supplychainsentinel
WarnAudited by ClawScan on May 18, 2026.
Overview
This skill is coherent for supply-chain monitoring, but it asks for broad business credentials and describes automatically creating or rerouting purchase orders without clear approval or rollback controls.
Review carefully before installing. Use sandbox credentials and test data first, require manual approval before any PO creation or rerouting, restrict database and messaging permissions, and configure any periodic monitoring with explicit limits and stop controls.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad forecast, bad supplier record, or model mistake could cause unintended purchases or rerouting and trigger stakeholder communications.
Creating purchase orders is a high-impact business action, and the artifact frames it as automatic based on a weather threshold without showing approval, spending limits, or rollback.
If typhoon or severe storm detected with >60% probability, automatically create alternative POs with backup suppliers and notify procurement team.
Use dry-run mode by default, require explicit human confirmation before creating or changing POs, and set clear limits for suppliers, SKUs, spend, and notification recipients.
The agent may be able to read operational shipment and supplier data, send Slack/email messages, and use database-backed business data with unclear boundaries.
The skill requires multiple provider credentials plus a database connection string, but the artifacts do not define least-privilege scopes, read/write limits, environment separation, or recipient restrictions.
"requires":{"env":["SHIPPO_API_KEY","FLEXPORT_API_KEY","OPENWEATHER_API_KEY","SLACK_WEBHOOK_URL","SENDGRID_API_KEY","DATABASE_URL"]}Provide only least-privilege test credentials first, restrict database permissions to the minimum required tables/actions, and use dedicated Slack/SendGrid endpoints with limited recipients.
Incorrect disruption detection could trigger wrong rerouting decisions and broad notifications, potentially affecting procurement, inventory, and customer commitments.
The workflow connects many external signals to downstream ERP, procurement, Slack, and email actions, so one incorrect input or interpretation could propagate across multiple business systems.
monitors 15+ shipping APIs, port delay databases, and weather systems to detect disruptions ... then automatically triggers PO rerouting workflows and notifies stakeholders with updated ETAs.
Add containment controls such as staged approvals, simulation reports, rate limits, audit logs, and a manual review step before external business systems are changed.
If configured as an ongoing task, it could keep querying services and triggering alerts or evaluations until stopped.
Periodic monitoring is aligned with the skill's purpose, but the artifact does not describe scheduling controls, stop conditions, or who authorizes ongoing runs.
Poll supplier APIs every 30 minutes.
Only enable scheduled monitoring intentionally, document who owns it, and configure clear stop conditions, logging, and alert thresholds.