Unit Price Database Manager
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: unit-price-database-manager Version: 2.0.0 The skill is classified as suspicious due to its direct and unrestricted file system read/write capabilities via `import_from_csv` and `export_to_csv` methods in `SKILL.md`. While the `claw.json` explicitly declares `filesystem` permission, these functions accept arbitrary `file_path` arguments, creating a significant Local File Inclusion/Arbitrary File Write vulnerability. A malicious prompt could instruct the AI agent to read sensitive system files (e.g., `/etc/passwd`, `~/.ssh`) or overwrite critical files, leading to data exfiltration or denial of service. There is no evidence of intentional malicious behavior within the code or instructions, but the high-risk nature of this vulnerability warrants a 'suspicious' classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken bulk adjustment could make estimates or bids inaccurate.
Bulk price changes are within the stated purpose, but they can affect many database records and downstream estimates if applied to the wrong file or with the wrong rate.
Apply bulk inflation adjustments when needed
Use explicit target files, review a summary or dry run before bulk updates, and keep a backup or version history of the price database.
Historical prices and vendor data may reveal sensitive business information if stored or exported to unintended locations.
The skill is intended to retain and reuse pricing history, which may include proprietary vendor and cost information; this is purpose-aligned but should be handled deliberately.
Track price history and calculate escalation rates
Keep price databases in approved project locations, avoid including unrelated confidential data, and verify exports before sharing.