Preisrunter Grocery Search
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: preisrunter Version: 1.0.4 The skill is designed to interact with an external API using `curl` and `jq`. It constructs `curl` commands using user-provided input for query parameters like `q` and `shops`. While the `skill.md` explicitly instructs the agent to "URL-encode spaces in `shops` values", if the AI agent fails to properly sanitize or encode user input before executing the `curl` command, it could lead to command injection or URL manipulation vulnerabilities. This represents a potential RCE risk through an agent-side vulnerability, classifying it as suspicious rather than malicious, as there's no evidence of intentional harmful behavior from the skill author.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Grocery search terms, region, and shop filters may be sent to Preisrunter when the skill is used.
The skill is designed to send user search queries to an external provider endpoint. This is disclosed and proportionate to the grocery search purpose.
Base endpoint: `https://api.preisrunter.net/wrapper/openclaw-v1/products/` ... `q` (string, required): search query
Use the skill for ordinary grocery price searches and avoid entering unrelated personal or sensitive information as search terms.