← 返回 Skills 市场
triplehippo

Shopping Claw | Is your claw a shopaholic?

作者 TripleHippo · GitHub ↗ · v1.0.1 · MIT-0
cross-platform ⚠ suspicious
263
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install shopify-pay2
功能描述
Tryout shopping on Shopify with CreditClaw and backed by Stripe. You can shop anywhere.
安全使用建议
This skill is a coherent shopping/checkout integration that legitimately needs an API key to call creditclaw.com and to request one-time decryption keys for card data — that part matches its purpose. Before installing: (1) confirm the registry listing and the skill's own files agree about required environment variables (the skill's files require CREDITCLAW_API_KEY even though the top-level summary said none), (2) only provide an API key if you trust creditclaw.com and understand that the agent will be able to request and use one-time decrypted card details in memory, (3) ensure the agent's approval_mode remains restrictive (ask_for_everything) unless you intentionally want it to spend autonomously, (4) keep webhook_secret and CREDITCLAW_API_KEY in a secure secrets manager and never expose them to other services, and (5) review the service's privacy/security documentation and consider testing in a sandbox or with very small limits before enabling live spending. If you want, I can list the exact lines in the skill files that show the inconsistent metadata and the endpoints that return or require keys.
功能分析
Type: OpenClaw Skill Name: shopify-pay2 Version: 1.0.1 The skill bundle integrates the CreditClaw platform to provide AI agents with financial capabilities, including automated browser-based checkouts on platforms like Shopify and Amazon. While the bundle includes robust security measures—such as ephemeral sub-agent isolation, server-side guardrails, and AES-256-GCM encryption—the inherent nature of the skill involves high-risk behaviors like handling decrypted credit card data and automated form filling (documented in CHECKOUT-GUIDE.md and agents/OPENCLAW.md). Consequently, it is classified as suspicious due to these risky capabilities, although no evidence of malicious intent or unauthorized data exfiltration was found in the provided files.
能力评估
Purpose & Capability
The skill is clearly a shopping/checkout integration and its companion docs (SKILL.md, CHECKOUT-GUIDE.md, SHOPPING-GUIDE.md, STRIPE-X402-WALLET.md, etc.) consistently require a CREDITCLAW_API_KEY and describe calling creditclaw.com endpoints, decrypting card blobs, and performing browser-driven checkouts — which is proportionate to the described purpose. However, the top-level registry metadata in the package summary listed "Required env vars: none" while the bundled meta.json and skill.json both declare CREDITCLAW_API_KEY as a required credential (primaryEnv). This mismatch between registry metadata and the skill's own files is inconsistent and worth flagging.
Instruction Scope
Runtime instructions explicitly direct the agent to: register with CreditClaw (POST /bots/register which the docs show returns an api_key), poll or receive webhooks, request one-time decryption keys, decrypt card data in-memory, navigate arbitrary merchant pages, and fill merchant payment forms with decrypted card data. All of these are within 'shopping' scope, but they involve handling highly sensitive secrets (API key, webhook_secret, decrypted card data) and interacting with arbitrary third‑party merchant sites. The docs explicitly warn not to leak the API key, but they also instruct the agent to persist webhook_secret into the platform's secrets manager and to accept API-returned keys during registration — these steps increase the attack surface if implemented or configured incorrectly. The instructions are detailed rather than vague (good), but they grant the agent ability to perform real purchases given an API key and owner approval settings.
Install Mechanism
There is no install spec and no code files to execute — this is an instruction-only skill. That lowers the risk of arbitrary code being written to disk or fetched from untrusted URLs.
Credentials
The skill requires a single service credential (CREDITCLAW_API_KEY) which is appropriate for a payment API, and meta.json/skill.json declare it as the primaryEnv. However, the registry summary at the top reported no required env vars, which is inconsistent and may mislead users. The instructions also require storing a webhook_secret and using it to verify webhooks; that implies the agent/platform must support secure secret storage. Overall the number of secrets is small and tied to the stated purpose, but the manifest/registry mismatch and the fact that registration can return a usable api_key without prior auth (per the docs) is a notable risk vector if used incorrectly.
Persistence & Privilege
The skill is not forced always-on (always:false) and is user-invocable. Default approval_mode is documented as ask_for_everything (user confirmation required) and openclaw metadata sets invocation to user_confirmed, which limits autonomous spending by default. Still, if an owner changes approval settings or configures auto-approval, an agent using this skill could make real-world purchases. That combination (ability to perform purchases + potential owner-configured auto-approve) increases blast radius and should be considered when granting the skill access to credentials.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install shopify-pay2
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /shopify-pay2 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Renamed skill to "shopify-buy2" with updated description. - Expanded documentation on financial enablement, payment rails, and security features. - Added details about supported e-commerce platforms (Shopify, Amazon, WooCommerce, etc). - Clarified default safety and owner approval requirements for purchases. - Provided a clear end-to-end flow and a quick start guide for setup.
元数据
Slug shopify-pay2
版本 1.0.1
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 1
常见问题

Shopping Claw | Is your claw a shopaholic? 是什么?

Tryout shopping on Shopify with CreditClaw and backed by Stripe. You can shop anywhere. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 263 次。

如何安装 Shopping Claw | Is your claw a shopaholic??

在 OpenClaw 或 Claude Code 对话框中运行命令「/install shopify-pay2」即可一键安装,无需额外配置。

Shopping Claw | Is your claw a shopaholic? 是免费的吗?

是的,Shopping Claw | Is your claw a shopaholic? 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Shopping Claw | Is your claw a shopaholic? 支持哪些平台?

Shopping Claw | Is your claw a shopaholic? 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Shopping Claw | Is your claw a shopaholic??

由 TripleHippo(@triplehippo)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论