Agent Commerce Engine
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: agent-commerce-engine Version: 1.7.1 The agent-commerce-engine is a well-structured and legitimate tool designed to facilitate e-commerce interactions for AI agents. It implements standard commerce features such as product search, cart management, and order creation while adhering to security best practices, including HTTPS enforcement for remote endpoints and token-based authentication to avoid persisting raw passwords. Credential management is handled locally within the user's home directory (~/.openclaw/credentials/agent-commerce-engine/) with appropriate file permissions (0600), and the code in scripts/commerce.py and scripts/lib/commerce_client.py shows no signs of malicious behavior, data exfiltration, or unauthorized execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted http:// store URL could cause store passwords or session tokens to be sent over plain HTTP despite the skill's HTTPS-safety claim.
This is the HTTPS enforcement gate before the client sends account passwords and uses saved token headers. Because it checks for localhost as a substring of the whole URL, a non-HTTPS remote URL containing that text could bypass the intended protection.
if not self.base_url.startswith('https://') and not any(h in self.base_url for h in ['localhost', '127.0.0.1']): ... response = self.session.post(url, json={"account": account, "password": password}, timeout=10)Only use trusted https:// store URLs. The maintainer should parse the hostname and allow HTTP only when the host is exactly localhost or 127.0.0.1.
Anyone who can read the local credential file could potentially act as the user for that store.
The client stores the account identifier and API token locally. This is disclosed and file permissions are restricted, but it is still sensitive account access.
json.dump({"account": account, "token": token}, f)
os.chmod(self.creds_file, 0o600)Use logout to remove saved tokens when finished, and avoid using the skill on untrusted or shared machines.
The agent could change shipping/profile details, empty a cart, or create an order record if the user or another prompt directs it to run these commands.
The skill exposes commands that can modify user profile data, carts, and orders. These operations are expected for a commerce engine, but they are high-impact actions.
prof_p = subparsers.add_parser("update-profile", help="Update user profile") ... subparsers.add_parser("clear-cart", help="Clear the entire cart") ... order_p = subparsers.add_parser("create-order", help="Create an order from cart")Confirm cart, profile, and order changes with the user before running mutating commands, especially create-order and clear-cart.
A malicious or compromised store could include misleading instructions in API responses.
Compatible backends can return natural-language instruction fields intended to influence the agent's next step. That is useful for commerce errors, but the text comes from the store backend.
The `instruction` field SHOULD accompany the `error` code to provide human/agent-readable guidance ... for the Agent's next action.
Treat backend instruction fields as untrusted suggestions limited to the shopping task; do not let them override user intent or security rules.