ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dupe

v1.0.0

Uses dupe.com APIs in order to find similar products for the product found in the input URL given by the user.

4· 918·2 current·2 all-time
by@crisanmm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and runtime instructions are coherent: the skill sends a product or image URL to https://api.dupe.com/api/dupes/agent-skill and returns similar-product matches. No unrelated binaries, env vars, or installs are requested.
Instruction Scope
Instructions are narrow and only show curl POSTs of the provided productUrl or imageUrl to the dupe.com API. This is appropriate for the stated purpose, but it does cause the agent to transmit user-supplied URLs/images to an external service — which could expose private information embedded in those URLs or images.
Install Mechanism
Instruction-only skill with no install spec and no code files; lowest-risk install profile. It does require curl and network access (explicitly stated).
Credentials
No environment variables, credentials, or config paths are requested. The instructions do not reference any secrets or system files beyond sending user-provided URLs to the external API.
Persistence & Privilege
always is false and there is no install or self-modifying behavior. The skill does not request persistent or system-level privileges.
What to consider before installing
This skill behaves as described (it sends a product or image URL to api.dupe.com and returns matches), but there are a few things to consider before installing: - Privacy: any URL or image you give the skill will be transmitted to api.dupe.com. Don't provide links or images that contain private tokens, session IDs, or personally identifying content you don't want shared. - Provenance: the skill metadata shows no homepage and the registry owner is not human-readable; verify that api.dupe.com is the legitimate service you want to use. If you expect an official dupe.com integration, ask the publisher for a verifiable homepage or documentation. - Authentication & rate limits: the SKILL.md shows unauthenticated POST examples. Confirm whether the real API requires an API key or enforces rate limits — otherwise requests may fail or expose unintended data. - Safe testing: try the skill with non-sensitive, public product URLs first. If you need to send private images or internal URLs, avoid doing so until you confirm the service's privacy policy and access controls. If the publisher can provide a verifiable homepage, official documentation, or an explicit statement about how submitted data is stored/used, the assessment could be upgraded to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cparwxt3kfpjwyxp4kvb00180tckp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments