ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pricing Engine

v1.0.0

动态定价引擎 — 根据 LME 铜价、数量阶梯、客户等级、实时汇率自动计算报价,集成 quotation-workflow 生成报价单

0· 74·0 current·0 all-time
byJaden's built a claw@cjboy007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (dynamic pricing tied to LME copper, quantity tiers, customer grades, exchange rates, and integration with quotation-workflow) matches the included scripts and config files: pricing-engine, copper-price-adapter, exchange-rate, price-history, and quotation integration. Dependencies on quotation-workflow and copper-price-monitor are declared in SKILL.md and the code references those integrations, so the requested capabilities are coherent with the stated purpose.
!
Instruction Scope
The runtime instructions and scripts read and write files (cache/, logs/, output/, config/), and copper-price-adapter explicitly scans a relative path outside the skill (<skill>/../../../copper-price-monitor/output). That external path access is consistent with the declared dependency but means the skill will attempt to read files outside its own directory. The SKILL.md and code instruct creating/using local logs and JSONL history files (which may be redirected via PRICE_HISTORY_FILE). The SKILL.md also says low-price events trigger a Discord notification; the provided JSON config includes a message template and channel name, but no Discord webhook/token is declared in the registry metadata or SKILL.md — the notification mechanism is not shown in the visible code, which is a gap to investigate.
Install Mechanism
There is no install spec (instruction-only packaging) and code is included as plain JS files. That is lower install-risk than downloading arbitrary binaries. The package writes files to local directories (cache, logs, output) as part of normal operation. No remote downloads or archive extraction are present in the provided manifest.
!
Credentials
The registry metadata lists no required environment variables, yet SKILL.md and the code use several env vars (DRY_RUN, PRICING_LOG, COPPER_LOG, CACHE_TTL_MS, PRICE_HISTORY_FILE). In addition, the bottom-price flow references Discord notifications but no webhook, token, or credentials are declared — it's unclear how notifications authenticate. The skill uses an external exchange rate API (open.er-api.com) which is reasonable for its purpose, but the undeclared env vars and missing notification credentials are inconsistencies that should be resolved before trusting the skill in production.
Persistence & Privilege
The skill is not always: true and does not request elevated platform privileges. It will create and write local files (cache, logs, output, price-history.jsonl) and persist history and caches by design. This is proportionate for a pricing engine, but users should be aware it writes persistent logs and history files and may read a sibling project's output directory.
What to consider before installing
What to check before installing / running this skill: - Confirm environment variables and secrets: the registry claims no required env vars, but SKILL.md and the code expect DRY_RUN, PRICING_LOG, COPPER_LOG, CACHE_TTL_MS and optionally PRICE_HISTORY_FILE. Decide values for these and set them explicitly in a safe environment (e.g., DRY_RUN=true for initial testing). - Verify Discord/notification mechanism: the margin rules reference sending Discord notifications on low-price triggers, but no webhook/token is declared. Search the rest of pricing-engine.js (the truncated part) for any code that sends messages and confirm where credentials come from (env var, platform secret, or omitted). Do not run in production until you understand where notifications are sent and how they authenticate. - Review external file access: copper-price-adapter reads a relative path ../../../copper-price-monitor/output. Make sure that directory is intentional and contains trusted data; otherwise the adapter could read unexpected files. If you don't run copper-price-monitor, test with DRY_RUN mode. - Audit network calls: the exchange-rate module fetches from https://open.er-api.com. If your security policy restricts external API calls, run with DRY_RUN or block outbound HTTPS during testing. - Inspect remaining code for side effects: the manifest shows truncated files; review the rest of pricing-engine.js and quotation-integration.js for any network calls, exec/spawn of shell scripts, or hardcoded endpoints. In particular, check for any code that would post data externally (beyond open.er-api.com) or execute scripts outside the skill directory (quotation-workflow integration references scripts/generate-all.sh and a Python script in a different repo). - Run in a sandbox first: execute with DRY_RUN=true, PRICING_LOG=false, and PRICE_HISTORY_FILE pointed to a temporary path. Verify outputs, where files are written, and whether any unexpected external requests occur. If the author can confirm (a) a list of required env vars in registry metadata, (b) how notifications (Discord) are authenticated (which env var or integration), and (c) that no other external endpoints are contacted, the remaining concerns would be reduced.
scripts/quotation-integration.js:355
Shell command execution detected (child_process).
scripts/exchange-rate.js:28
Environment variable access combined with network send.
!
scripts/exchange-rate.js:88
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9709v7z6knax944t47xsefxcx83pbz4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments