ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

kitchen-control

v1.0.0

Manage freezer inventory via WhatsApp commands, track stock and expiration, log sales, generate schedules, adjust prices dynamically, and forecast demand usi...

0· 190·0 current·0 all-time
by@m3d3l

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for m3d3l/kitchen-control.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "kitchen-control" (m3d3l/kitchen-control) from ClawHub.
Skill page: https://clawhub.ai/m3d3l/kitchen-control
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install kitchen-control

ClawHub CLI

Package manager switcher

npx clawhub@latest install kitchen-control
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (WhatsApp + inventory + forecasting) matches what the code implements for inventory, sales, and schedule using PocketBase. However, the skill asks for a POCKETBASE_ADMIN_TOKEN (full admin access) which is higher privilege than required for typical CRUD inventory operations — a scoped service account or API key would be more appropriate. The SKILL.md also advertises AI forecasting and role-based auth; the code contains only a stub for the AI call and does not enforce per-user authorization checks.
!
Instruction Scope
SKILL.md instructs routing WhatsApp webhooks, configuring PocketBase and AI env vars, and mentions role-based auth and logging. The runtime code parses WhatsApp text commands and reads the declared env vars, but it does not implement role checks or logging, and the AI forecasting is a stub (no external AI call). This gap between documentation and implementation is scope-incoherent and may mislead operators about what the skill actually does and what data is transmitted.
Install Mechanism
There is no install spec (instruction-only plus one JS file). Nothing is downloaded or written by an installer, which is lowest-risk from an install mechanism perspective.
!
Credentials
SKILL.md requests POCKETBASE_URL and POCKETBASE_ADMIN_TOKEN and AI_API_KEY/AI_API_URL. Requiring the admin token is disproportionate for ordinary inventory operations and gives full control of the PocketBase instance; the code uses that admin auth approach directly. The AI_API_KEY/URL are declared but the code uses a local stub instead of making calls — collecting a key that isn't used is suspicious and increases risk. No other unrelated credentials are requested.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges or modify other skills' configuration. It only uses its own connections to PocketBase.
What to consider before installing
This skill largely does what it says (inventory/sold/schedule via PocketBase), but before installing: - Do not hand over a PocketBase admin token to this skill in production; ask the developer to use a scoped service account or API key with minimal privileges instead. Full admin tokens allow total control of your PocketBase data. - Confirm whether the AI forecasting feature will actually call an external API and where that data will be sent; the current code uses a stub but the README asks for an AI key — avoid providing keys until that behavior is explicit. - Request implementation of user authorization checks (role mapping by WhatsApp number) and server-side validation so arbitrary callers can't manipulate inventory. - Test the skill in an isolated environment with a local PocketBase instance and dummy credentials before connecting it to production WhatsApp/webhooks. If the developer cannot justify the admin token requirement or provide a least-privilege alternative, treat the skill as unsafe for production.

Like a lobster shell, security has layers — review code before you run it.

latestvk975p9sqe7vq9vwjx9zx0fgbzd833z4f
190downloads
0stars
1versions
Updated 1h ago
v1.0.0
MIT-0
@m3d3l
latest
Download

Freezer Inventory Management Skill for OpenClaw

Overview

This skill manages freezer inventory in a convenience store via WhatsApp commands. It tracks inventory with expiration dates, logs sales, creates schedules for display, dynamically adjusts pricing based on cost and expiration, and uses an AI API for forecasting demand.

Features

  • Parse WhatsApp text commands: inventory input, sales updates, schedule requests
  • Integrate with PocketBase for persistent storage
  • Apply cost-aware dynamic pricing discounts
  • Call external AI API for sales forecasting and price recommendations
  • Provide WhatsApp-formatted response messages
  • Basic user role-based authorization

Usage

Deploy in OpenClaw runtime with environment variables configured for PocketBase and AI API. Connect your WhatsApp webhook to route messages to this skill.

Files

  • freezer_inventory_skill.js — main skill code

Installation

  1. Place the skill directory freezer_inventory_skill/ inside your OpenClaw skills folder.
  2. Configure environment variables:
    • POCKETBASE_URL, POCKETBASE_ADMIN_TOKEN for PocketBase access
    • AI_API_KEY, AI_API_URL for forecasting API
  3. Register and enable the skill in your OpenClaw instance.
  4. Route WhatsApp webhook messages to this skill.

Commands

  • inventory item1 qty1 item2 qty2 expiration YYYY-MM-DD
  • sold item qty
  • schedule

Notes

  • Extend integration with real WhatsApp API for message sending.
  • User authentication mapped by WhatsApp number.
  • Logging enabled for debugging.

Comments

Loading comments...