Dupe
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent product-search skill that sends user-provided product or image URLs to dupe.com, with no evidence of credentials, persistence, local file access, or destructive behavior.
This skill appears safe for ordinary public product lookups. Install it only if you are comfortable sharing the product or image URL with dupe.com, and avoid using private, signed, or token-containing links.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any product or image URL supplied to the skill may be shared with dupe.com.
The skill forwards the user's product or image URL to an external dupe.com API. This is expected for the stated purpose, but URLs can reveal browsing interests or contain private/signed access tokens.
--url https://api.dupe.com/api/dupes/agent-skill ... "productUrl" ... "imageUrl"
Use public product or image URLs only, and remove tracking parameters or signed/private tokens before invoking the skill.
Malformed or specially crafted URLs could be mishandled if inserted into a shell command without proper quoting.
The skill instructs the agent to put user-supplied URL data into a curl JSON payload. This is purpose-aligned, but the artifact does not include explicit escaping or safe-construction guidance for unusual URLs.
Run the following command ... Replace the `productUrl` with the input URL given by the user.
Construct the JSON body safely, escape user-supplied URL values, or use a structured HTTP client instead of raw shell interpolation.
Users may not notice from registry metadata alone that the skill depends on local curl and external network access.
The skill discloses a curl and internet requirement in SKILL.md, while the provided registry requirements list no required binaries. This is a transparency issue rather than evidence of malicious behavior.
compatibility: Requires curl, access to the internet.
Declare curl and network/API access in metadata so users can make an informed install decision.