Supermarket Deals (DE)
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may download/build npm development dependencies on the user's machine.
The skill requires a Node/npm setup step even though the registry install spec is empty. This is common for a CLI skill, and the lockfile/no install scripts reduce risk, but users should notice they are installing npm dependencies.
cd path/to/supermarket-deals npm install npm run build
Install from a trusted source, review package.json/package-lock.json, prefer a locked install such as npm ci where practical, and avoid running setup as an administrator.
Marktguru can receive the products you search for and the postal code you use.
The code sends the user's product query and ZIP code to Marktguru's API, which is necessary for the advertised deal search but is still a third-party data flow.
const SEARCH_ENDPOINT = "https://api.marktguru.de/api/v1/offers/search"; ... url.searchParams.set("q", query); url.searchParams.set("zipCode", zipCode);Use this skill only if you are comfortable sharing search terms and ZIP codes with Marktguru; use a nearby ZIP if you want less precise location disclosure.
Someone with access to the local account could view the saved default ZIP/store preferences and cached Marktguru keys.
The skill persists local configuration and cached provider keys between runs. This is bounded and disclosed, but it means defaults such as a ZIP code remain on disk.
Config is stored at `~/.supermarket-deals/config.json` ... API keys ... cached 6h in `~/.supermarket-deals/keys.json`
Review or delete ~/.supermarket-deals if you no longer use the skill or do not want local defaults retained.