ClawHub

Daily Hot Deals

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The included code appears to only generate a local, hard-coded deals report, though users should notice that the description overstates real-time aggregation and scheduled WeChat push capabilities.

This skill looks low-risk from the provided artifacts: it mainly prints a local deals report using built-in Python. Before relying on it, verify whether the deals are real and current, and do not enable any recurring WeChat or paid-subscription workflow unless you are shown exactly what account, schedule, and unsubscribe controls will be used.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI09: Human-Agent Trust Exploitation
Low
What this means

Users might rely on the report as if it contains current real marketplace deals or arbitrage opportunities, when the included code appears to output static demo-like data.

Why it was flagged

The implementation explicitly says it simulates daily deal data, while the skill description claims automatic whole-network deal aggregation. This is more of a capability/accuracy mismatch than malicious behavior.

Skill content
# 模拟生成每日优惠数据
Recommendation

Treat the report as sample/demo output unless the maintainer provides a real, reviewable data-source integration and clear price-verification guidance.

#ASI10: Rogue Agents
Low
What this means

If a future or external version implements this feature, it could continue sending deal reports after initial setup unless subscription controls are clear.

Why it was flagged

The documentation describes recurring automatic delivery, which would be persistent scheduled behavior if implemented. The provided artifacts do not show such a scheduler, so this is a user-awareness note rather than a demonstrated unsafe behavior.

Skill content
每日 8:00/20:00 自动发送
Recommendation

Only enable recurring pushes if the skill provides clear scheduling, destination, unsubscribe, and approval controls.