← Back to Skills Marketplace
cweiping

costco-inventory-monitor

by Weiping Cai · GitHub ↗ · v1.1.0 · MIT-0
cross-platform ⚠ suspicious
112
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install costco-inventory-monitor
Description
Monitor Costco inventory by ZIP and run it safely with OpenClaw cron. Keep secrets outside the skill directory.
README (SKILL.md)

Costco Inventory Monitor

Goal

Provide a repeatable workflow to check Costco inventory for one or more products across multiple ZIP codes, then write a report for downstream channels (for example WeCom).

Repository Safety Rules

  • The skills/costco-inventory-monitor directory must contain scripts, templates, and docs only.
  • Never store real AK/SK, tokens, passwords, or proxy credentials inside skills/.
  • Real runtime secrets must be stored in /root/.openclaw/workspace/.secrets/costco-monitor.env.
  • .secrets/ must stay in .gitignore and should not be committed.

Files

  • Runner: scripts/run_monitor.sh
  • Inventory checker: scripts/check_costco_inventory.py
  • Config template (safe to commit): config/monitor.env.example
  • Standard reference: references/costco-inventory-standard.md

Runtime Setup

  1. Create the real secret config from template:
mkdir -p /root/.openclaw/workspace/.secrets
cp /root/.openclaw/workspace/skills/costco-inventory-monitor/config/monitor.env.example /root/.openclaw/workspace/.secrets/costco-monitor.env
chmod 600 /root/.openclaw/workspace/.secrets/costco-monitor.env
  1. Edit /root/.openclaw/workspace/.secrets/costco-monitor.env and fill real values:
  • PRODUCT_1, PRODUCT_2, ...
  • ZIP_CODES
  • PROXY_URL
  • output paths (OUTPUT_JSONL, STATE_FILE, REPORT_FILE, LOG_FILE)
  1. Run once to validate:
/root/.openclaw/workspace/skills/costco-inventory-monitor/scripts/run_monitor.sh

OpenClaw Cron (every 5 minutes)

Use OpenClaw cron, not system crontab, for this skill.

openclaw cron create \
  --name costco-inventory-monitor-5m \
  --every 5m \
  --session isolated \
  --model hunyuan/hunyuan-t1-latest \
  --delivery none \
  --message 'Run /root/.openclaw/workspace/skills/costco-inventory-monitor/scripts/run_monitor.sh and then return only the contents of /root/.openclaw/workspace/ops/costco-monitor/latest_report.txt.'

Existing production job id (created): 29515da3-2b5b-491b-b516-69875b4376a6.

Example Products and ZIPs

  • Product: 4000362984|TCL 55" Q77K|https://www.costco.com/p/-/tcl-55-class-q77k-series-4k-uhd-qled-smart-tv-allstate-3-year-protection-plan-bundle-included-for-5-years-of-total-coverage/4000362984?langId=-1
  • ZIPs: 03051, 97230

Output Locations

  • Report: /root/.openclaw/workspace/ops/costco-monitor/latest_report.txt
  • Log: /root/.openclaw/workspace/ops/costco-monitor/monitor.log
  • Snapshot JSONL: /root/.openclaw/workspace/ops/costco-monitor/snapshots.jsonl
  • State: /root/.openclaw/workspace/ops/costco-monitor/state.json

GitHub Checklist

  • Commit: skills/costco-inventory-monitor/** and optional ops wrapper scripts.
  • Do not commit: /root/.openclaw/workspace/.secrets/**, real proxy/account credentials, runtime logs, local state files.
Usage Guidance
This skill appears to implement a legitimate Costco inventory checker, but its registry metadata omits important runtime requirements. Before installing or enabling it: - Inspect and populate the required secret file (/root/.openclaw/workspace/.secrets/costco-monitor.env) yourself; verify it contains only the expected variables (PRODUCT_*, ZIP_CODES, PROXY_URL, OUTPUT_JSONL, STATE_FILE, REPORT_FILE, LOG_FILE) and no extra secrets. The skill will source that file at runtime. - Treat PROXY_URL as sensitive: it may include username:password@host. Do not point it at an untrusted proxy (it would see all fetched pages and could capture credentials/contents). - Ensure output/log paths are correct and have appropriate permissions so other users/agents cannot read sensitive content. - Because the package metadata didn't declare these env/config requirements, consider this a red flag — ask the publisher/maintainer to update registry metadata to declare the required config path and environment variables explicitly before enabling automated runs. - If you plan to run this on an automated schedule, start with a one-off manual run to validate behavior and outputs, and confirm no unexpected outbound endpoints (beyond the product URLs and any proxy you intentionally configured) are contacted. If the registry were updated to declare the required config path and environment variables and you verify PROXY_URL and secret contents, the skill would be much more coherent; until then treat it cautiously.
Capability Analysis
Type: OpenClaw Skill Name: costco-inventory-monitor Version: 1.1.0 The skill bundle is a legitimate tool for monitoring Costco inventory across multiple ZIP codes. It follows security best practices by instructing the user to store secrets (like proxy credentials) in a dedicated directory outside the skill folder and sets appropriate file permissions (chmod 600). The scripts (check_costco_inventory.py and run_monitor.sh) perform standard HTTP requests via a user-provided proxy and parse HTML for availability signals without any evidence of malicious intent, data exfiltration, or command injection vulnerabilities.
Capability Assessment
Purpose & Capability
The name/description (Costco inventory monitor) align with the included scripts: they fetch product pages (via a proxy), parse availability, and write reports. However the skill metadata declares no required environment variables or config paths while the scripts and SKILL.md require a secret env file (/root/.openclaw/workspace/.secrets/costco-monitor.env) and many environment variables (PROXY_URL, ZIP_CODES, OUTPUT_JSONL, STATE_FILE, REPORT_FILE, LOG_FILE and PRODUCT_* variables). The mismatch between declared requirements and actual runtime requirements is incoherent.
Instruction Scope
SKILL.md and run_monitor.sh explicitly instruct creating and sourcing a secret file under /root/.openclaw/workspace/.secrets and instruct running the runner via OpenClaw cron. The instructions reference specific absolute paths and require reading all PRODUCT_* env variables from the secret file; these runtime reads are not declared in registry metadata. The cron instruction asks the agent to run the script and return the report file — appropriate for the task, but it gives the agent direct instructions to run a filesystem-scoped runner and access the secret file.
Install Mechanism
No install spec is present (instruction-only plus bundled scripts). Nothing is downloaded or written by an install stage; risk from install mechanism is low.
Credentials
Although the SKILL.md recommends keeping secrets out of the skill directory, the skill implicitly requires a secret env file and multiple environment variables (proxy credentials or proxy URL, product specs via PRODUCT_* variables, ZIP_CODES, and several output/log paths). None of these are declared in the registry metadata. In particular, PROXY_URL may contain credentials and will be used as an outbound proxy for all product requests; if pointed at an untrusted proxy it could capture request payloads and responses. The number and sensitivity of required env values is higher than the metadata indicates.
Persistence & Privilege
The skill does not request always:true and does not alter other skills' configuration. It writes outputs to workspace paths under /root/.openclaw/workspace/ops and expects a secrets file in the workspace .secrets directory—this is normal for a runner-style skill. Autonomous invocation is allowed (platform default) but not uniquely privileged by this skill.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install costco-inventory-monitor
  3. After installation, invoke the skill by name or use /costco-inventory-monitor
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Costco Inventory Monitor 1.1.0 introduces a safer, OpenClaw-ready workflow: - Adds shell scripts, Python utilities, and config templates for scheduling inventory checks by ZIP and product. - Enforces secret management best practices—move all real credentials to a secure, ignored directory outside the skill folder. - Documents OpenClaw cron scheduling for automated, safe periodic monitoring. - Provides clear setup, output paths, and example usage. - Includes updated references and monitoring standard docs.
v1.0.1
- Added support for specifying network path (`direct` or `residential_proxy`) to handle Akamai 403 errors and improve reliability. - Introduced proxy configuration options, including `proxy_url` and granular proxy credentials/geo-preferences. - Enhanced documentation with Akamai 403 recovery workflow and updated command examples. - Input contract now details how to use residential proxies and related parameters for advanced monitoring.
v1.0.0
- Initial release introducing automated monitoring of Costco product inventory by ZIP code. - Supports batch product and ZIP code configuration via CLI. - Offers flexible scheduling, alert channels (email, Slack, webhook), and fingerprint anti-blocking strategies. - Provides standardized output formats and integration guidelines. - Includes fallback manual check workflow and detailed monitoring standards reference.
Metadata
Slug costco-inventory-monitor
Version 1.1.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is costco-inventory-monitor?

Monitor Costco inventory by ZIP and run it safely with OpenClaw cron. Keep secrets outside the skill directory. It is an AI Agent Skill for Claude Code / OpenClaw, with 112 downloads so far.

How do I install costco-inventory-monitor?

Run "/install costco-inventory-monitor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is costco-inventory-monitor free?

Yes, costco-inventory-monitor is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does costco-inventory-monitor support?

costco-inventory-monitor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created costco-inventory-monitor?

It is built and maintained by Weiping Cai (@cweiping); the current version is v1.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments