Shopping Expert
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: shopping-expert Version: 1.1.0 The OpenClaw AgentSkills skill bundle 'shopping-expert' is classified as benign. The `SKILL.md` documentation clearly outlines the skill's purpose and required API keys (`SERPAPI_API_KEY`, `GOOGLE_PLACES_API_KEY`), which are directly relevant to its functionality. The `scripts/shop.py` Python code uses standard libraries (`requests`, `urllib3`) to interact with the legitimate SerpAPI and Google Places API endpoints. There is no evidence of data exfiltration, unauthorized command execution, persistence mechanisms, obfuscation, or prompt injection attempts against the agent. All observed behaviors are aligned with the stated purpose of finding and comparing products online and locally.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill may consume API quota or incur provider-side usage tied to the user's API keys.
The script uses provider API keys from environment variables for SerpAPI and Google Places, which is expected for this integration but gives the skill access to those services under the user's quota or billing account.
SERPAPI_KEY = os.environ.get("SERPAPI_API_KEY")
PLACES_API_KEY = os.environ.get("GOOGLE_PLACES_API_KEY")Use scoped provider API keys where possible, monitor quota/billing, and avoid sharing keys in prompts or logs.
Search terms, preferences, country, and local location strings may be transmitted to third-party APIs.
The script sends search parameters to SerpAPI and Google Places. This is consistent with the stated purpose, but product searches and local location queries are shared with external providers.
SERP_BASE_URL = "https://serpapi.com/search" PLACES_BASE_URL = "https://places.googleapis.com/v1" ... response = requests.get(SERP_BASE_URL, params=params, timeout=30) ... response = requests.post(url, json=body, headers=headers, timeout=30)
Do not use highly sensitive addresses or private purchasing details unless you are comfortable sending them to the configured providers.
Dependency versions may vary over time depending on the package resolver and available packages.
The uv-run script declares runtime Python dependencies using lower-bound version constraints. This is common and purpose-aligned, but it relies on package resolution from the Python package ecosystem rather than fully pinned versions.
# dependencies = [ # "requests>=2.31.0", # "urllib3>=2.0.0", # ]
Install in a normal isolated environment and, for stricter reproducibility, pin or lock dependencies before deploying in sensitive environments.