Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Shopping Autopilot
v1.0.0Automate your grocery shopping - weekly meal planning, regular items, delivery slots, and order confirmation.
⭐ 0· 64·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill advertises automated ordering, delivery-slot booking, and order confirmation for Tesco, Amazon Fresh, and Instacart — capabilities that normally require store-specific authentication (accounts, API keys, or browser automation). Yet the metadata declares no required credentials, no config paths, and no install steps. That mismatch suggests the skill's declared requirements are incomplete or misleading.
Instruction Scope
SKILL.md contains only high-level features and example prompts; it gives no concrete runtime instructions for authentication, where or how it will perform web interactions, or how it will handle sensitive data (payment, addresses). The instructions are overly open-ended and grant broad discretion to the agent without bounds, which is a scope creep risk for an automation that would need account access.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes disk writes and arbitrary code installation. That lowers installation risk, but does not resolve the operational ambiguity about required credentials or browser automation.
Credentials
Given the claimed features, one would expect the skill to request credentials (store API keys, OAuth tokens, login cookies) or to document using the user's interactive browser. The absence of any declared environment variables or credential requirements is disproportionate and unexplained.
Persistence & Privilege
The skill is not always-enabled and is user-invocable with normal autonomous invocation allowed. That is typical and not itself problematic — but if it later requires broad account access, autonomous invocation could increase risk. Currently there is no evidence it modifies other skills or system settings.
What to consider before installing
Before installing, ask the developer for specifics: (1) How does the skill authenticate with Tesco / Amazon Fresh / Instacart — does it use OAuth, store API keys, or require you to supply account credentials? (2) Will it ever place or confirm an order automatically, or only prepare carts for you to review? (3) How are payment methods and personal data stored, transmitted, or logged? (4) Where is any automation code executed (local browser automation vs remote service)? If you must provide credentials, prefer OAuth flows or short-lived tokens and avoid sharing passwords or credit-card details directly. If answers are unclear or the developer can't explain why no credentials are needed, treat the skill as risky — consider testing only with a throwaway account and no saved payment methods.Like a lobster shell, security has layers — review code before you run it.
latestvk974q13mdb5xa4420snq397hxx83dcv3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.