Autonomous Commerce
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is designed to make real purchases, but it uses saved shopping/payment sessions and wallet keys while its budget, escrow, and sensitive-data safeguards are not clearly enforced.
Only use this after careful review, preferably with a dedicated Amazon account, limited payment method, and test or low-balance wallet. Require manual review of the exact final checkout total before any order is placed, pin and inspect dependencies, and delete or secure any saved checkout screenshots and proof files.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and run with a real Amazon session, the agent may be able to place orders using the user's saved account and payment methods.
The purchase script uses a persistent local browser profile/session, allowing it to act as a logged-in Amazon user with saved payment and address data.
const USER_DATA_DIR = path.join(__dirname, '.chrome-session'); ... const browser = await chromium.launchPersistentContext(USER_DATA_DIR, {Use only a dedicated, limited shopping profile with a restricted payment method; require explicit user confirmation at final checkout; declare this session requirement clearly in metadata.
A wallet private key can control funds; using it with this skill creates financial risk if the runtime, dependencies, or calling code are not tightly controlled.
The escrow example uses a wallet private key, but the registry requirements declare no env vars or primary credential, under-disclosing a high-impact financial credential.
privateKey: process.env.WALLET_PRIVATE_KEY, network: 'base'
Declare required wallet credentials, use least-privilege or test wallets, avoid primary wallets, and require explicit approval for escrow creation, release, and refund actions.
Funds could be released based on incomplete or weakly verified purchase data, especially if the purchase function or order data is wrong or manipulated.
Escrow release only checks proof-hash format and presence of order fields before releasing funds; it does not recompute the proof, verify screenshot contents, check the retailer, or enforce the budget.
if (!proofHash.startsWith('0x') || proofHash.length !== 66) { ... }
if (!orderData.orderId || !orderData.total) { ... }
await escrowClient.escrowRelease(escrowId);Recompute and verify proof data, compare the final total against the escrow budget, validate retailer/order details, and require user approval before releasing escrow.
A mistake in page selection, cart contents, price parsing, or user approval flow could result in a real unintended order.
The script can click Amazon's final order button. It prompts for 'yes', but the artifacts do not show robust final total extraction, tax/shipping/cart validation, or binding to a user-provided purchase request before this action.
const placeOrderBtn = await page.$('[name="placeYourOrder1"], input[name="placeYourOrder1"], #submitOrderButtonId input');
if (placeOrderBtn) {
await placeOrderBtn.click();Before placing an order, display the exact item, seller, quantity, shipping address, payment method, tax/shipping, and final total, then require explicit user confirmation.
Sensitive purchase and account information may remain on disk after the task and be accessible to other local processes or future users of the machine.
The script automatically stores screenshots of checkout and confirmation pages in a local temp directory; these pages may include order IDs, addresses, account details, or payment hints.
const SCREENSHOT_DIR = '/tmp/vhagar-purchase'; ... await page.screenshot({ path: p }); ... '06-checkout.png', '07-confirmation.png'Store screenshots in a user-approved secure location, redact PII before saving or sharing, and delete evidence files after verification unless the user chooses to retain them.
Users may over-trust the advertised safeguards and allow the skill to make purchases with less oversight than is warranted.
The documentation makes a strong safety claim, but the provided code does not clearly enforce a final checkout total or full escrow-budget check before order placement and escrow release.
What agent CANNOT do: ... ❌ Purchase beyond budget
Tone down absolute safety claims unless enforced in code; document exactly which limits are enforced, where they are checked, and what the user must still verify.
Future dependency versions could change behavior in a sensitive commerce workflow.
The skill depends on external npm packages with semver ranges. These dependencies are purpose-aligned, but they matter more because the skill handles purchases and wallet-backed escrow.
"dependencies": {
"playwright": "^1.40.0"
},
"optionalDependencies": {
"clawpay": "^1.0.0"
}Pin dependency versions, use a lockfile, and review dependencies before running the skill with real accounts or funds.