← 返回 Skills 市场

Grocery Shopping Assistant

Name: Grocery Shopping Assistant
Author: serdarsalim

作者 Serdar Salim · GitHub ↗ · v1.1.3 · MIT-0

cross-platform ⚠ suspicious

189

总下载

当前安装

版本数

在 OpenClaw 中安装

/install grocery-assistant

功能描述

Persistent pantry-backed grocery checklist for OpenClaw, intended for normal conversational use with Telegram shopping-list UI.

使用说明 (SKILL.md)

Grocery Checklist

This skill stores grocery state locally and supports a Telegram checklist UX.

Intended usage:

OpenClaw handles conversation normally
this skill provides grocery state and actions
Telegram renders shopping and pantry views
the managed OpenClaw route is the primary install mode

Runtime behavior:

reads Telegram account config from ~/.openclaw/openclaw.json
writes pantry state to ~/.openclaw/data/grocery-checklist/state.json
writes Telegram polling state to ~/.openclaw/data/grocery-checklist/telegram-bot-state.json
uses the bundled wrapper at scripts/grocery.sh

Use it for:

I ran out of salt
Add milk and eggs to groceries
What do I need to buy?
Mark eggs bought
I'm shopping now
Should I go shopping today?

Wrapper:

bash \x3Cskill_dir>/scripts/grocery.sh ...

Core states:

needed
have

Telegram callbacks use:

callback_data: gchk:...

Behavior guidance:

when tools are available, use mutate_grocery_items for state changes and render_grocery_view for Telegram UI
treat natural grocery mutation phrasing as state changes
for mutation intents, run the mutation first; do not render as a substitute for the mutation
treat show me the shopping list, what do I need to buy, and “I am shopping now” phrasing as shopping-list renders
treat show me the pantry and what do I have as pantry renders
keep normal grocery conversation conversational
after a Telegram UI render or callback, do not send a second explanatory message
for successful Telegram UI actions, the ideal model output is exactly NO_REPLY

安全使用建议

This skill appears to do what it says: it stores grocery state locally and uses a Telegram token from your OpenClaw config to render inline checklists. Before installing: (1) confirm you want the grocery bot token placed in ~/.openclaw/openclaw.json (or bind a dedicated grocery account) so the skill can find it; (2) review and, if required by your security posture, allowlist the bundled wrapper and Python scripts for exec approvals (SETUP.md mentions this); (3) if you want tighter isolation, create a dedicated Telegram 'grocery' bot/account and bind it only to this agent; (4) be aware there is an optional standalone bot script (telegram_bot.py) that can run outside OpenClaw — only run it if you intend to bypass OpenClaw's managed routing. If you need a deeper audit, provide the remaining truncated sections of index.js/grocery.py for a full line-by-line review.

功能分析

Type: OpenClaw Skill Name: grocery-assistant Version: 1.1.3 The skill is classified as suspicious due to a potential argument injection vulnerability in 'scripts/telegram_bot.py', where unsanitized user input is passed directly as command-line arguments to a shell wrapper, potentially allowing a user to manipulate the '--state-file' path or other parameters. Additionally, the skill requires high-privilege read access to the sensitive '~/.openclaw/openclaw.json' file to retrieve Telegram bot tokens and includes a maintenance script ('scripts/prune_grocery_sessions.py') that performs automated file deletions and archiving. While these features are aligned with the stated purpose of a Telegram-integrated grocery assistant, the broad file access and lack of input sanitization in the standalone bot script present a security risk.

能力标签

cryptocan-make-purchases

能力评估

✓ Purpose & Capability

The name/description match the code and SKILL.md: the package implements a pantry-backed grocery state machine and a Telegram UI. Required binaries (bash, python3, openclaw) and the files that read/write ~/.openclaw/* are consistent with the stated design (OpenClaw-managed routing + optional standalone bot).

ℹ Instruction Scope

Runtime instructions explicitly state the skill will read ~/.openclaw/openclaw.json and write state under ~/.openclaw/data/grocery-checklist/. The included scripts perform only grocery-related operations (state CRUD, Telegram API calls, session pruning). Note: the skill loads the entire openclaw.json to locate the grocery Telegram account (documented); while that file may contain other channel credentials, the code accesses only the grocery account fields.

✓ Install Mechanism

No download/install step is declared (instruction-only install), and all code is bundled with the skill. There are no external archive downloads or URLs that would write arbitrary binaries to disk.

✓ Credentials

No environment variables or external secrets are required. The skill reads ~/.openclaw/openclaw.json to obtain the grocery Telegram bot token — this is expected and documented. It does not request unrelated cloud keys or other credentials.

✓ Persistence & Privilege

The skill writes state to ~/.openclaw/data/grocery-checklist/ and the prune helper manipulates session files in ~/.openclaw/agents/grocery/sessions; these are within the OpenClaw workspace and consistent with a grocery agent. The skill is not marked always:true and does not modify other skills' configs.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install grocery-assistant
安装完成后，直接呼叫该 Skill 的名称或使用 /grocery-assistant 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.3

- Added index.js and package.json, introducing new Node.js support. - Updated version to 1.1.3.

v1.1.2

- Added maintenance script: scripts/prune_grocery_sessions.py. - This script helps manage and prune old grocery sessions for improved data hygiene.

v1.1.0

Version 1.0.7 - No file changes were detected in this release. - No user-facing updates or new features.

v1.0.6

No user-visible changes in this release. Version bumped, but no updates or fixes detected.

v1.0.5

- Added compiled Python file for Telegram bot in scripts/__pycache__. - Updated documentation to clarify intended conversational usage with Telegram shopping-list UI. - Expanded example prompts for using the grocery checklist skill. - Added behavioral guidance for handling natural language interactions and Telegram UI updates.

v1.0.1

- Added compiled Python files for grocery and Telegram bot scripts. - Expanded documentation to specify skill file locations for reading and writing state. - Updated SKILL.md metadata with explicit file access paths and improved runtime behavior notes.

v1.0.0

- Initial release of grocery-checklist skill for OpenClaw. - Supports a persistent, local pantry-backed grocery checklist. - Integrates with Telegram inline buttons for easy marking of purchased items. - Allows adding, removing, querying, and marking grocery items as bought or needed. - Works via bash wrapper and requires bash, python3, and OpenClaw.

元数据

Slug grocery-assistant

版本 1.1.3

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 7

常见问题

Grocery Shopping Assistant 是什么？

Persistent pantry-backed grocery checklist for OpenClaw, intended for normal conversational use with Telegram shopping-list UI. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 189 次。

如何安装 Grocery Shopping Assistant？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install grocery-assistant」即可一键安装，无需额外配置。

Grocery Shopping Assistant 是免费的吗？

是的，Grocery Shopping Assistant 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Grocery Shopping Assistant 支持哪些平台？

Grocery Shopping Assistant 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Grocery Shopping Assistant？

由 Serdar Salim（@serdarsalim）开发并维护，当前版本 v1.1.3。