Price Api
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: price-api Version: 2.1.0 The OpenClaw AgentSkills bundle is benign. The Python code uses standard libraries to fetch construction material prices from the legitimate FRED API and perform data analysis. The `network` permission is justified for API calls, and the `filesystem` permission is reasonable for handling input/output data files (CSV, Excel, JSON) as described in `instructions.md`. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the AI agent. The instructions clearly guide the agent to perform the stated task without any hidden malicious directives.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may contact external price APIs and read or write local project/cost files during use.
The skill requests broad file and network access, which fits fetching API data and updating/exporting cost files, but could modify local business data if used carelessly.
"permissions": [
"filesystem",
"network"
]Use it only with intended project paths and review any proposed database or file updates before applying them.
If you provide a FRED API key, it may be sent to the FRED API endpoint to retrieve price data.
The sample client can accept a FRED API key and send it as an API parameter. This is purpose-aligned, but it is an optional credential not declared as a primary credential.
def __init__(self, fred_api_key: Optional[str] = None): ... params['api_key'] = self.fred_api_key
Provide only the intended API key, avoid embedding secrets in shared files, and rotate the key if it is exposed.
If you turn the sample into runnable code, you may need to install external Python packages yourself.
The documented Python implementation relies on third-party packages, while the package has no install spec and only declares the python3 binary. This is not automatic execution, but users would need to manage dependency provenance if running the sample code.
import requests import pandas as pd
Install dependencies from trusted sources and prefer pinned versions if converting this instruction-only skill into executable code.