Inventory Manager
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Review before using: the included code is sample-only, but the skill instructions advertise bulk store inventory changes and automated ordering/listing actions without clear safeguards.
Treat this as a review-before-use skill. The included Python script appears to use sample data and local CSV output only, but the documentation describes actions that could affect real e-commerce stores. Do not allow bulk sync, automatic reorder, or listing pause actions unless the implementation is reviewed, the exact stores/SKUs are scoped, and you approve the changes.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to real stores, a mistaken command or threshold could push wrong stock levels, create purchase orders, or hide products from sale.
The skill documents bulk inventory sync and automated business actions that could alter store stock, generate purchase orders, or hide listings, but it does not describe explicit approval, dry-run, rollback, or tight scoping for those high-impact actions.
python scripts/sync_inventory.py \
--source taobao \
--target douyin \
--sync-all
...
"critical": {"threshold": 5, "action": "immediate_reorder"}
...
- **Pause listing**: Hide product from storeRequire explicit user confirmation for each real store mutation, prefer dry-run previews, scope actions to named stores/SKUs, and document rollback or audit steps.
The agent may try to run missing scripts, or a user may be tempted to obtain unreviewed replacement scripts elsewhere.
The instructions reference several runnable helper scripts, but the provided manifest contains only scripts/inventory_manager.py. This mismatch means the documented workflows are not fully backed by the reviewed files.
python scripts/check_stock.py ... python scripts/sync_inventory.py ... python scripts/generate_po.py ... python scripts/forecast_sales.py ...
Use only the reviewed scripts included with the package, or request an updated package whose manifest matches the documented commands.
Store API credentials could allow inventory or listing changes if later configured with broad permissions.
The documentation anticipates platform API credentials for Taobao/Douyin-style store access, but registry metadata declares no required credentials. The provided code does not misuse credentials, but real integration would involve sensitive account authority.
- API integration for real-time stock ... - **API errors**: Check API credentials and rate limits
Use least-privileged API keys, declare required credentials clearly, and separate read-only reporting permissions from write/sync permissions.