← 返回 Skills 市场

costco-inventory-monitor

Name: costco-inventory-monitor
Author: cweiping

作者 Weiping Cai · GitHub ↗ · v1.1.0 · MIT-0

cross-platform ⚠ suspicious

112

总下载

当前安装

版本数

在 OpenClaw 中安装

/install costco-inventory-monitor

功能描述

Monitor Costco inventory by ZIP and run it safely with OpenClaw cron. Keep secrets outside the skill directory.

使用说明 (SKILL.md)

Costco Inventory Monitor

Goal

Provide a repeatable workflow to check Costco inventory for one or more products across multiple ZIP codes, then write a report for downstream channels (for example WeCom).

Repository Safety Rules

The skills/costco-inventory-monitor directory must contain scripts, templates, and docs only.
Never store real AK/SK, tokens, passwords, or proxy credentials inside skills/.
Real runtime secrets must be stored in /root/.openclaw/workspace/.secrets/costco-monitor.env.
.secrets/ must stay in .gitignore and should not be committed.

Files

Runner: scripts/run_monitor.sh
Inventory checker: scripts/check_costco_inventory.py
Config template (safe to commit): config/monitor.env.example
Standard reference: references/costco-inventory-standard.md

Runtime Setup

Create the real secret config from template:

mkdir -p /root/.openclaw/workspace/.secrets
cp /root/.openclaw/workspace/skills/costco-inventory-monitor/config/monitor.env.example /root/.openclaw/workspace/.secrets/costco-monitor.env
chmod 600 /root/.openclaw/workspace/.secrets/costco-monitor.env

Edit /root/.openclaw/workspace/.secrets/costco-monitor.env and fill real values:

PRODUCT_1, PRODUCT_2, ...
ZIP_CODES
PROXY_URL
output paths (OUTPUT_JSONL, STATE_FILE, REPORT_FILE, LOG_FILE)

Run once to validate:

/root/.openclaw/workspace/skills/costco-inventory-monitor/scripts/run_monitor.sh

OpenClaw Cron (every 5 minutes)

Use OpenClaw cron, not system crontab, for this skill.

openclaw cron create \
  --name costco-inventory-monitor-5m \
  --every 5m \
  --session isolated \
  --model hunyuan/hunyuan-t1-latest \
  --delivery none \
  --message 'Run /root/.openclaw/workspace/skills/costco-inventory-monitor/scripts/run_monitor.sh and then return only the contents of /root/.openclaw/workspace/ops/costco-monitor/latest_report.txt.'

Existing production job id (created): 29515da3-2b5b-491b-b516-69875b4376a6.

Example Products and ZIPs

Product: 4000362984|TCL 55" Q77K|https://www.costco.com/p/-/tcl-55-class-q77k-series-4k-uhd-qled-smart-tv-allstate-3-year-protection-plan-bundle-included-for-5-years-of-total-coverage/4000362984?langId=-1
ZIPs: 03051, 97230

Output Locations

Report: /root/.openclaw/workspace/ops/costco-monitor/latest_report.txt
Log: /root/.openclaw/workspace/ops/costco-monitor/monitor.log
Snapshot JSONL: /root/.openclaw/workspace/ops/costco-monitor/snapshots.jsonl
State: /root/.openclaw/workspace/ops/costco-monitor/state.json

GitHub Checklist

Commit: skills/costco-inventory-monitor/** and optional ops wrapper scripts.
Do not commit: /root/.openclaw/workspace/.secrets/**, real proxy/account credentials, runtime logs, local state files.

安全使用建议

This skill appears to implement a legitimate Costco inventory checker, but its registry metadata omits important runtime requirements. Before installing or enabling it: - Inspect and populate the required secret file (/root/.openclaw/workspace/.secrets/costco-monitor.env) yourself; verify it contains only the expected variables (PRODUCT_*, ZIP_CODES, PROXY_URL, OUTPUT_JSONL, STATE_FILE, REPORT_FILE, LOG_FILE) and no extra secrets. The skill will source that file at runtime. - Treat PROXY_URL as sensitive: it may include username:password@host. Do not point it at an untrusted proxy (it would see all fetched pages and could capture credentials/contents). - Ensure output/log paths are correct and have appropriate permissions so other users/agents cannot read sensitive content. - Because the package metadata didn't declare these env/config requirements, consider this a red flag — ask the publisher/maintainer to update registry metadata to declare the required config path and environment variables explicitly before enabling automated runs. - If you plan to run this on an automated schedule, start with a one-off manual run to validate behavior and outputs, and confirm no unexpected outbound endpoints (beyond the product URLs and any proxy you intentionally configured) are contacted. If the registry were updated to declare the required config path and environment variables and you verify PROXY_URL and secret contents, the skill would be much more coherent; until then treat it cautiously.

功能分析

Type: OpenClaw Skill Name: costco-inventory-monitor Version: 1.1.0 The skill bundle is a legitimate tool for monitoring Costco inventory across multiple ZIP codes. It follows security best practices by instructing the user to store secrets (like proxy credentials) in a dedicated directory outside the skill folder and sets appropriate file permissions (chmod 600). The scripts (check_costco_inventory.py and run_monitor.sh) perform standard HTTP requests via a user-provided proxy and parse HTML for availability signals without any evidence of malicious intent, data exfiltration, or command injection vulnerabilities.

能力评估

⚠ Purpose & Capability

The name/description (Costco inventory monitor) align with the included scripts: they fetch product pages (via a proxy), parse availability, and write reports. However the skill metadata declares no required environment variables or config paths while the scripts and SKILL.md require a secret env file (/root/.openclaw/workspace/.secrets/costco-monitor.env) and many environment variables (PROXY_URL, ZIP_CODES, OUTPUT_JSONL, STATE_FILE, REPORT_FILE, LOG_FILE and PRODUCT_* variables). The mismatch between declared requirements and actual runtime requirements is incoherent.

⚠ Instruction Scope

SKILL.md and run_monitor.sh explicitly instruct creating and sourcing a secret file under /root/.openclaw/workspace/.secrets and instruct running the runner via OpenClaw cron. The instructions reference specific absolute paths and require reading all PRODUCT_* env variables from the secret file; these runtime reads are not declared in registry metadata. The cron instruction asks the agent to run the script and return the report file — appropriate for the task, but it gives the agent direct instructions to run a filesystem-scoped runner and access the secret file.

✓ Install Mechanism

No install spec is present (instruction-only plus bundled scripts). Nothing is downloaded or written by an install stage; risk from install mechanism is low.

⚠ Credentials

Although the SKILL.md recommends keeping secrets out of the skill directory, the skill implicitly requires a secret env file and multiple environment variables (proxy credentials or proxy URL, product specs via PRODUCT_* variables, ZIP_CODES, and several output/log paths). None of these are declared in the registry metadata. In particular, PROXY_URL may contain credentials and will be used as an outbound proxy for all product requests; if pointed at an untrusted proxy it could capture request payloads and responses. The number and sensitivity of required env values is higher than the metadata indicates.

✓ Persistence & Privilege

The skill does not request always:true and does not alter other skills' configuration. It writes outputs to workspace paths under /root/.openclaw/workspace/ops and expects a secrets file in the workspace .secrets directory—this is normal for a runner-style skill. Autonomous invocation is allowed (platform default) but not uniquely privileged by this skill.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install costco-inventory-monitor
安装完成后，直接呼叫该 Skill 的名称或使用 /costco-inventory-monitor 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.0

Costco Inventory Monitor 1.1.0 introduces a safer, OpenClaw-ready workflow: - Adds shell scripts, Python utilities, and config templates for scheduling inventory checks by ZIP and product. - Enforces secret management best practices—move all real credentials to a secure, ignored directory outside the skill folder. - Documents OpenClaw cron scheduling for automated, safe periodic monitoring. - Provides clear setup, output paths, and example usage. - Includes updated references and monitoring standard docs.

v1.0.1

- Added support for specifying network path (`direct` or `residential_proxy`) to handle Akamai 403 errors and improve reliability. - Introduced proxy configuration options, including `proxy_url` and granular proxy credentials/geo-preferences. - Enhanced documentation with Akamai 403 recovery workflow and updated command examples. - Input contract now details how to use residential proxies and related parameters for advanced monitoring.

v1.0.0

- Initial release introducing automated monitoring of Costco product inventory by ZIP code. - Supports batch product and ZIP code configuration via CLI. - Offers flexible scheduling, alert channels (email, Slack, webhook), and fingerprint anti-blocking strategies. - Provides standardized output formats and integration guidelines. - Includes fallback manual check workflow and detailed monitoring standards reference.

元数据

Slug costco-inventory-monitor

版本 1.1.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 3

常见问题