Hyderabad Shopper
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a coherent price-shopping helper, but it goes beyond price checks by modifying shopping carts and sending checkout screenshots over Telegram without clear scope or disclosure.
Treat this as a shopping and checkout-assistance skill, not just a price comparison tool. Only install it if you are comfortable with it opening shopping sites, changing carts, and sending checkout screenshots through Telegram; confirm the Telegram recipient and remove the hardcoded address if unnecessary.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install it expecting only price comparison, while the agent may proceed into cart/checkout workflows and transmit checkout details.
The user-facing description frames the skill as price lookup, while the detailed instructions include checkout and external messaging behavior.
description: "Finds lowest prices for Pincode 500081 without freezing." ... "add the item to the cart, navigate to the final payment screen" ... "Send a screenshot of the checkout page to the user via Telegram."
Update the description and metadata to clearly disclose checkout and Telegram behavior, and require explicit user approval before those steps.
The agent could change shopping carts or reach checkout pages in the user's accounts before all details are verified.
Adding items to cart and navigating checkout can rely on logged-in shopping sessions and modifies account/cart state; the skill does not define which accounts, quantities, sellers, or reversal steps are allowed.
If the user selects an item to buy, open ONE tab, add the item to the cart, navigate to the final payment screen, and **PAUSE**.
Require a separate confirmation before cart/checkout actions, show product, seller, quantity, fees, and platform, and avoid using saved account sessions unless the user explicitly agrees.
Sensitive checkout information could be sent to the wrong Telegram chat or exposed through an external messaging channel.
Checkout screenshots can contain order, delivery, account, and payment-context details, but the Telegram recipient, authorization, and redaction rules are not specified.
Send a screenshot of the checkout page to the user via Telegram.
Ask for explicit consent and recipient confirmation before sending anything through Telegram, and redact sensitive details from screenshots where possible.
The exact location may be available to the agent or anyone reviewing the skill, and could be reused in future shopping context.
A specific address is embedded in persistent skill metadata, even though the operational instructions only require the pincode.
metadata: address: "102 Saboori Enclave Whitefields" pincode: "500081" location: "Hyderabad"
Remove the exact address unless it is necessary, and keep only the pincode or ask the user for delivery details at runtime.