ClawHub

Buy Anything

v3.0.3

Purchase products from Amazon and Shopify stores through conversational checkout. Use when user shares a product URL or says "buy", "order", or "purchase" wi...

2· 2.3k·3 current·3 all-time
by@tsyvic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (purchase from Amazon/Shopify) match the instructions: open a BasisTheory card-capture page, accept a token from the user, and call Rye partner endpoints via curl. Required binary (curl) is appropriate for the HTTP requests the skill performs.
Instruction Scope
SKILL.md keeps a narrow scope: it explicitly forbids fetching product pages itself, instructs the agent to open browser pages for secure card entry, collects only buyer address and a BasisTheory token, and uses Rye API for checkout. It does not instruct reading unrelated files or environment variables.
Install Mechanism
Instruction-only skill (no install spec, no code files) — lowest install risk. README mentions installing via clawdhub/npm which would pull code from a repo if used; that is separate from the skill bundle here and should be reviewed if you follow those install instructions.
Credentials
The skill requests no environment variables or secrets, which is appropriate. Two things to note: (1) it stores BasisTheory token IDs in agent memory if the user agrees — those tokens can be reused for future purchases and thus are sensitive; (2) SKILL.md claims no API key is needed because the partner path authenticates (authentication-by-path is unusual), so successful operation relies on Rye's server-side checks rather than local credentials.
Persistence & Privilege
always:false and user-invocable are appropriate. The skill intends to save token/address in agent memory only with user permission — this is normal for convenience but increases persistent credential exposure if granted.
Assessment
What to consider before installing/using: (1) Verify the card-capture URL is the legitimate Rye/BasisTheory page (do not paste full card data into chat; only paste the token ID from the secure page). (2) Understand that if you allow the skill to save your BasisTheory token or address in memory, that token can be used for future purchases — only save it if you trust the skill and device. (3) The skill claims no API key is required; that relies on Rye's server configuration — if you have concerns, ask the provider how purchases are authenticated and how misuse is prevented. (4) Prefer setting a conservative per-order spending limit or using a disposable/virtual card for testing. (5) If you plan to install via README instructions (clawdhub/npm), review the remote repo before running install commands. If any of these points worry you, avoid saving tokens and confirm receipt emails/charges after each order.

Like a lobster shell, security has layers — review code before you run it.

latestvk979wrepp616k7h4vahynydh4h829h6z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📦 Clawdis
Binscurl

Comments