ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Grocery Shopping Assistant

v1.1.3

Persistent pantry-backed grocery checklist for OpenClaw, intended for normal conversational use with Telegram shopping-list UI.

1· 182·0 current·0 all-time
bySerdar Salim@serdarsalim

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for serdarsalim/grocery-assistant.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Grocery Shopping Assistant" (serdarsalim/grocery-assistant) from ClawHub.
Skill page: https://clawhub.ai/serdarsalim/grocery-assistant
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: bash, python3, openclaw
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install grocery-assistant

ClawHub CLI

Package manager switcher

npx clawhub@latest install grocery-assistant
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the code and SKILL.md: the package implements a pantry-backed grocery state machine and a Telegram UI. Required binaries (bash, python3, openclaw) and the files that read/write ~/.openclaw/* are consistent with the stated design (OpenClaw-managed routing + optional standalone bot).
Instruction Scope
Runtime instructions explicitly state the skill will read ~/.openclaw/openclaw.json and write state under ~/.openclaw/data/grocery-checklist/. The included scripts perform only grocery-related operations (state CRUD, Telegram API calls, session pruning). Note: the skill loads the entire openclaw.json to locate the grocery Telegram account (documented); while that file may contain other channel credentials, the code accesses only the grocery account fields.
Install Mechanism
No download/install step is declared (instruction-only install), and all code is bundled with the skill. There are no external archive downloads or URLs that would write arbitrary binaries to disk.
Credentials
No environment variables or external secrets are required. The skill reads ~/.openclaw/openclaw.json to obtain the grocery Telegram bot token — this is expected and documented. It does not request unrelated cloud keys or other credentials.
Persistence & Privilege
The skill writes state to ~/.openclaw/data/grocery-checklist/ and the prune helper manipulates session files in ~/.openclaw/agents/grocery/sessions; these are within the OpenClaw workspace and consistent with a grocery agent. The skill is not marked always:true and does not modify other skills' configs.
Assessment
This skill appears to do what it says: it stores grocery state locally and uses a Telegram token from your OpenClaw config to render inline checklists. Before installing: (1) confirm you want the grocery bot token placed in ~/.openclaw/openclaw.json (or bind a dedicated grocery account) so the skill can find it; (2) review and, if required by your security posture, allowlist the bundled wrapper and Python scripts for exec approvals (SETUP.md mentions this); (3) if you want tighter isolation, create a dedicated Telegram 'grocery' bot/account and bind it only to this agent; (4) be aware there is an optional standalone bot script (telegram_bot.py) that can run outside OpenClaw — only run it if you intend to bypass OpenClaw's managed routing. If you need a deeper audit, provide the remaining truncated sections of index.js/grocery.py for a full line-by-line review.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛒 Clawdis
Binsbash, python3, openclaw
latestvk97dqw8wpbg9gjsbatyxke4t7d84czv4
182downloads
1stars
7versions
Updated 2w ago
v1.1.3
MIT-0
Serdar Salim@serdarsalim
latest
Download

Grocery Checklist

This skill stores grocery state locally and supports a Telegram checklist UX.

Intended usage:

  • OpenClaw handles conversation normally
  • this skill provides grocery state and actions
  • Telegram renders shopping and pantry views
  • the managed OpenClaw route is the primary install mode

Runtime behavior:

  • reads Telegram account config from ~/.openclaw/openclaw.json
  • writes pantry state to ~/.openclaw/data/grocery-checklist/state.json
  • writes Telegram polling state to ~/.openclaw/data/grocery-checklist/telegram-bot-state.json
  • uses the bundled wrapper at scripts/grocery.sh

Use it for:

  • I ran out of salt
  • Add milk and eggs to groceries
  • What do I need to buy?
  • Mark eggs bought
  • I'm shopping now
  • Should I go shopping today?

Wrapper:

bash <skill_dir>/scripts/grocery.sh ...

Core states:

  • needed
  • have

Telegram callbacks use:

callback_data: gchk:...

Behavior guidance:

  • when tools are available, use mutate_grocery_items for state changes and render_grocery_view for Telegram UI
  • treat natural grocery mutation phrasing as state changes
  • for mutation intents, run the mutation first; do not render as a substitute for the mutation
  • treat show me the shopping list, what do I need to buy, and “I am shopping now” phrasing as shopping-list renders
  • treat show me the pantry and what do I have as pantry renders
  • keep normal grocery conversation conversational
  • after a Telegram UI render or callback, do not send a second explanatory message
  • for successful Telegram UI actions, the ideal model output is exactly NO_REPLY

Comments

Loading comments...