SellToAI Moras Shop
ReviewAudited by ClawScan on May 15, 2026.
Overview
The shopping API behavior is mostly disclosed, but the install helper can download unpinned instructions from the web and persist them across several different agent apps.
Use this skill only if you are comfortable sending shopping requests to SellToAI and seeing tracked buy links. Prefer installing through the registry or a reviewed local file; do not run the curl|bash installer unless you trust the live remote source, and install it only into the agent apps where you actually want it enabled.
Publisher note
This skill calls the SellToAI public gateway at https://selltoai.ai using curl to turn shopping intent into Moras video-proof product recommendation cards. Public trial calls to GET /v1/recommend work for eligible agent channels without an API key and are capped to 3 cards. MORAS_API_KEY is optional for production traffic and higher limits. The skill must preserve tracked buy links and MatchToken query parameters for attribution.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the remote file changes or is compromised, running the installer could add different agent instructions than the ones reviewed here.
The installer can be run directly from a remote script and then downloads SKILL.md from a live URL with no version pin, signature, or checksum, so the installed instructions could differ from the reviewed artifact.
# 用法:bash install.sh 或 curl -sSL https://selltoai.ai/skills/install.sh | bash
SRC_URL="${MORAS_SHOP_SKILL_URL:-https://selltoai.ai/skills/moras-shop/SKILL.md}"
curl -fsSL "$SRC_URL" -o "$TMP"Install from the reviewed registry artifact when possible, avoid curl|bash, and require a pinned version or checksum before downloading skill instructions.
A user intending to install this for one agent could unintentionally enable it in other local agent apps as well.
The installer writes the skill into multiple agent runtimes, creating persistent future availability outside the single OpenClaw context.
DEST_DIRS=( "$HOME/.cursor/skills/moras-shop" "$HOME/.claude/skills/moras-shop" "$HOME/.codex/skills/moras-shop" "$HOME/.openclaw/skills/moras-shop" ) ... cp "$TMP" "$d/SKILL.md"
Install only into the specific agent directory the user selected, or add explicit prompts/flags for each target agent.
The agent may run local shell curl commands when handling shopping requests.
The skill explicitly prefers shell execution for API calls. The documented commands are scoped to curl requests to the SellToAI gateway, so this is purpose-aligned but worth noticing.
OpenClaw tool rule: call Moras through the shell/exec tool with `curl`. Do **not** use OpenClaw `web_fetch`, `url-fetch`, browser search, or generic web browsing for Moras API calls.
Keep shell use limited to the documented HTTPS API calls and do not allow the skill to expand into unrelated shell commands.
If a user configures MORAS_API_KEY, the agent will include it in requests to the selected SellToAI-compatible base URL.
The skill can use an optional bearer token for higher limits and authenticated APIs. This is disclosed and aligned with a provider integration, but the credential should be scoped and sent only to a trusted gateway.
Production mode: if `MORAS_API_KEY` is set, add `Authorization: Bearer $MORAS_API_KEY` and you may request higher limits and use authenticated write APIs.
Use a least-privilege API key, rotate it if exposed, and set MORAS_A2A_BASE_URL only to a trusted HTTPS gateway.
Product preferences, gift details, budgets, and similar shopping context may be shared with SellToAI or the configured gateway.
Shopping intent and channel metadata are sent to the external gateway. This is central to the skill's purpose, but users should know their request details leave the local agent.
curl -s -G "$BASE_URL/v1/recommend" \ -H "X-Moras-Skill: moras-shop" \ --data-urlencode "intent=YOUR_ENGLISH_INTENT" \ --data-urlencode "limit=3" \ --data-urlencode "channel=openclaw"
Avoid including unnecessary personal or sensitive details in shopping prompts, and review the provider's privacy practices before use.
Links may be tracked for attribution, and product rankings may reflect SellToAI's commerce model rather than independent editorial review.
The skill discloses that buy links and channel values support attribution analytics. That is coherent for a commerce skill, but recommendations may have commercial incentives.
attribution-tracking buy link ... `channel` — set to one of `openclaw | cursor | claude | codex | hermes | a2a-other` (this powers attribution analytics — please always set it)
Treat product cards as shopping suggestions, verify prices and sellers before buying, and understand that buy links are tracked.