ClawHub

WooCommerce Stock Monitor

v1.0.1

Monitor WooCommerce products for out-of-stock changes and send Telegram alerts. Run daily via cron.

0· 350·3 current·3 all-time
byZero2Ai@zero2ai-hub
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, README, SKILL.md, and the included script all align: the script fetches products from the WooCommerce REST API (using consumer_key/consumer_secret from a local JSON), compares state, saves a state file, and posts alerts to Telegram. Minor inconsistency: registry metadata declares no required env vars/credentials while SKILL.md and the script require TELEGRAM_BOT_TOKEN / TELEGRAM_CHAT_ID and a WOO_API_PATH file; this is likely an oversight but worth noting.
Instruction Scope
SKILL.md instructs to run node scripts/stock-monitor.js and documents environment vars and state file location. The runtime instructions and the script stay within the stated purpose: they read a specified WooCommerce credentials file, call the store API, write a local state file, and call Telegram's API. The script does not access unrelated system files or external endpoints beyond the store and api.telegram.org.
Install Mechanism
No install spec (instruction-only) and the script is bundled with the skill; there are no downloads or external installers. This is low-risk from an install perspective.
Credentials
The script legitimately needs a WooCommerce API (consumer key/secret via woo-api.json) and Telegram bot token/chat id. Those are proportionate to the feature. However, registry metadata did not declare these required credentials — the omission could mislead users about what secrets are needed. The default WOO_API_PATH points to the user's home directory, so users should ensure the referenced JSON is stored securely.
Persistence & Privilege
The skill is not always-enabled and may be invoked by the agent; it writes a local state file memory/stock-state.json under the skill's directory (normal for tracking state). It does not modify other skills or system-wide agent settings.
Assessment
This skill appears to be what it says: a simple WooCommerce poller that sends Telegram alerts. Before installing/run it, verify these points: - The skill requires TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID (set in cron or environment). Keep the bot token secret. - Provide a secure woo-api.json with only the WooCommerce read credentials. The default path is ~/woo-api.json; consider placing it in a restricted directory and referencing it explicitly via WOO_API_PATH. - The script writes state to memory/stock-state.json relative to the skill; confirm that location is acceptable and not shared with other services. - Registry metadata omits the required env vars/credentials — do not assume the skill is credential-free. Double-check SKILL.md and the script before running. - Run the script in a least-privilege environment (non-root user, isolated container or sandbox) if you're unsure about trust level. If you need higher assurance, inspect or run the bundled scripts in a controlled environment and verify network requests (to your store and api.telegram.org) before giving it persistent or automated execution.

Like a lobster shell, security has layers — review code before you run it.

latestvk971rdwnzja73x61gpydy8cw79836815

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments