ClawHub

Price Api

PassAudited by ClawScan on May 1, 2026.

Overview

The skill is coherent for fetching construction price data, but users should review any file/database updates and optional API-key use before relying on it.

This appears safe for its stated purpose. Before installing, confirm you are comfortable granting file and network access, review any generated cost database updates before applying them, and handle any optional API key as a secret.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI02: Tool Misuse and Exploitation
What this means

The agent may contact external price APIs and read or write local project/cost files during use.

Why it was flagged

The skill requests broad file and network access, which fits fetching API data and updating/exporting cost files, but could modify local business data if used carelessly.

Skill content
"permissions": [
    "filesystem",
    "network"
  ]
Recommendation

Use it only with intended project paths and review any proposed database or file updates before applying them.

Note
ASI03: Identity and Privilege Abuse
What this means

If you provide a FRED API key, it may be sent to the FRED API endpoint to retrieve price data.

Why it was flagged

The sample client can accept a FRED API key and send it as an API parameter. This is purpose-aligned, but it is an optional credential not declared as a primary credential.

Skill content
def __init__(self, fred_api_key: Optional[str] = None): ... params['api_key'] = self.fred_api_key
Recommendation

Provide only the intended API key, avoid embedding secrets in shared files, and rotate the key if it is exposed.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

If you turn the sample into runnable code, you may need to install external Python packages yourself.

Why it was flagged

The documented Python implementation relies on third-party packages, while the package has no install spec and only declares the python3 binary. This is not automatic execution, but users would need to manage dependency provenance if running the sample code.

Skill content
import requests
import pandas as pd
Recommendation

Install dependencies from trusted sources and prefer pinned versions if converting this instruction-only skill into executable code.