WooCommerce Stock Monitor
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it claims: read WooCommerce stock data, save a local state file, and send Telegram alerts, but it needs sensitive store and Telegram credentials.
Before installing, make sure you are comfortable giving the script a read-only WooCommerce API key and a Telegram bot token. Use an HTTPS WooCommerce URL, send alerts only to an intended Telegram chat, and remember that a cron setup will keep running until you remove it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing it must provide credentials that allow the script to read WooCommerce product data and send Telegram messages.
The skill needs WooCommerce API credentials and Telegram bot credentials. This is expected for the integration and documented, but these credentials can access store/product data and send messages.
`WOO_API_PATH` ... WooCommerce API credentials JSON ... `TELEGRAM_BOT_TOKEN` ... `TELEGRAM_CHAT_ID`
Use a WooCommerce key with read-only product access, keep the Telegram bot token private, and verify the credentials are only stored where trusted users can read them.
Out-of-stock product details may be visible to members of the configured Telegram chat and processed by Telegram.
The script sends alert text containing product names and SKUs to a configured Telegram chat. This matches the stated purpose, but it moves inventory information to an external messaging provider.
hostname: 'api.telegram.org' ... JSON.stringify({ chat_id: TELEGRAM_CHAT, text: message, parse_mode: 'Markdown' })Confirm the Telegram chat is appropriate for business inventory alerts and avoid using a chat with unintended members.
Local users with access to the state file may be able to view or alter stock-monitoring history, which could affect future alerts.
The skill persists product names, SKUs, and stock status between runs so it can detect transitions. This is disclosed and purpose-aligned.
**State file:** Saved to `memory/stock-state.json` (tracks previous run)
Store the skill in a location with appropriate file permissions and remove the state file if you want to reset the monitor.
After cron setup, it will continue contacting WooCommerce and Telegram daily until the cron job is removed or disabled.
The skill is intended to run persistently on a schedule if the user adds the cron entry. This is explicit and central to the stock-monitoring purpose.
Run daily via cron ... `0 7 * * * TELEGRAM_BOT_TOKEN=xxx TELEGRAM_CHAT_ID=yyy node /path/to/scripts/stock-monitor.js`
Only add the cron entry if ongoing monitoring is desired, and document where it is installed so it can be disabled later.