← Back to Skills Marketplace

Shopping Claw | Is your claw a shopaholic?

Name: Shopping Claw | Is your claw a shopaholic?
Author: triplehippo

by TripleHippo · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

263

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install shopify-pay2

Description

Tryout shopping on Shopify with CreditClaw and backed by Stripe. You can shop anywhere.

Usage Guidance

This skill is a coherent shopping/checkout integration that legitimately needs an API key to call creditclaw.com and to request one-time decryption keys for card data — that part matches its purpose. Before installing: (1) confirm the registry listing and the skill's own files agree about required environment variables (the skill's files require CREDITCLAW_API_KEY even though the top-level summary said none), (2) only provide an API key if you trust creditclaw.com and understand that the agent will be able to request and use one-time decrypted card details in memory, (3) ensure the agent's approval_mode remains restrictive (ask_for_everything) unless you intentionally want it to spend autonomously, (4) keep webhook_secret and CREDITCLAW_API_KEY in a secure secrets manager and never expose them to other services, and (5) review the service's privacy/security documentation and consider testing in a sandbox or with very small limits before enabling live spending. If you want, I can list the exact lines in the skill files that show the inconsistent metadata and the endpoints that return or require keys.

Capability Analysis

Type: OpenClaw Skill Name: shopify-pay2 Version: 1.0.1 The skill bundle integrates the CreditClaw platform to provide AI agents with financial capabilities, including automated browser-based checkouts on platforms like Shopify and Amazon. While the bundle includes robust security measures—such as ephemeral sub-agent isolation, server-side guardrails, and AES-256-GCM encryption—the inherent nature of the skill involves high-risk behaviors like handling decrypted credit card data and automated form filling (documented in CHECKOUT-GUIDE.md and agents/OPENCLAW.md). Consequently, it is classified as suspicious due to these risky capabilities, although no evidence of malicious intent or unauthorized data exfiltration was found in the provided files.

Capability Assessment

ℹ Purpose & Capability

The skill is clearly a shopping/checkout integration and its companion docs (SKILL.md, CHECKOUT-GUIDE.md, SHOPPING-GUIDE.md, STRIPE-X402-WALLET.md, etc.) consistently require a CREDITCLAW_API_KEY and describe calling creditclaw.com endpoints, decrypting card blobs, and performing browser-driven checkouts — which is proportionate to the described purpose. However, the top-level registry metadata in the package summary listed "Required env vars: none" while the bundled meta.json and skill.json both declare CREDITCLAW_API_KEY as a required credential (primaryEnv). This mismatch between registry metadata and the skill's own files is inconsistent and worth flagging.

⚠ Instruction Scope

Runtime instructions explicitly direct the agent to: register with CreditClaw (POST /bots/register which the docs show returns an api_key), poll or receive webhooks, request one-time decryption keys, decrypt card data in-memory, navigate arbitrary merchant pages, and fill merchant payment forms with decrypted card data. All of these are within 'shopping' scope, but they involve handling highly sensitive secrets (API key, webhook_secret, decrypted card data) and interacting with arbitrary third‑party merchant sites. The docs explicitly warn not to leak the API key, but they also instruct the agent to persist webhook_secret into the platform's secrets manager and to accept API-returned keys during registration — these steps increase the attack surface if implemented or configured incorrectly. The instructions are detailed rather than vague (good), but they grant the agent ability to perform real purchases given an API key and owner approval settings.

✓ Install Mechanism

There is no install spec and no code files to execute — this is an instruction-only skill. That lowers the risk of arbitrary code being written to disk or fetched from untrusted URLs.

⚠ Credentials

The skill requires a single service credential (CREDITCLAW_API_KEY) which is appropriate for a payment API, and meta.json/skill.json declare it as the primaryEnv. However, the registry summary at the top reported no required env vars, which is inconsistent and may mislead users. The instructions also require storing a webhook_secret and using it to verify webhooks; that implies the agent/platform must support secure secret storage. Overall the number of secrets is small and tied to the stated purpose, but the manifest/registry mismatch and the fact that registration can return a usable api_key without prior auth (per the docs) is a notable risk vector if used incorrectly.

ℹ Persistence & Privilege

The skill is not forced always-on (always:false) and is user-invocable. Default approval_mode is documented as ask_for_everything (user confirmation required) and openclaw metadata sets invocation to user_confirmed, which limits autonomous spending by default. Still, if an owner changes approval settings or configures auto-approval, an agent using this skill could make real-world purchases. That combination (ability to perform purchases + potential owner-configured auto-approve) increases blast radius and should be considered when granting the skill access to credentials.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install shopify-pay2
After installation, invoke the skill by name or use /shopify-pay2
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

- Renamed skill to "shopify-buy2" with updated description. - Expanded documentation on financial enablement, payment rails, and security features. - Added details about supported e-commerce platforms (Shopify, Amazon, WooCommerce, etc). - Clarified default safety and owner approval requirements for purchases. - Provided a clear end-to-end flow and a quick start guide for setup.

Metadata

Slug shopify-pay2

Version 1.0.1

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Shopping Claw | Is your claw a shopaholic??

Tryout shopping on Shopify with CreditClaw and backed by Stripe. You can shop anywhere. It is an AI Agent Skill for Claude Code / OpenClaw, with 263 downloads so far.

How do I install Shopping Claw | Is your claw a shopaholic??

Run "/install shopify-pay2" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Shopping Claw | Is your claw a shopaholic? free?

Yes, Shopping Claw | Is your claw a shopaholic? is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Shopping Claw | Is your claw a shopaholic? support?

Shopping Claw | Is your claw a shopaholic? is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Shopping Claw | Is your claw a shopaholic??

It is built and maintained by TripleHippo (@triplehippo); the current version is v1.0.1.

More Skills