Back to skill

Security audit

Preisrunter Grocery Search

Security checks across malware telemetry and agentic risk

Overview

The skill is a straightforward grocery price-search helper that sends product queries to its disclosed external API, with no evidence of hidden persistence, privilege escalation, or destructive behavior.

Install this only if you are comfortable sending grocery search terms, region choices, and shop filters to Preisrunter's external API. Avoid including personal details, addresses, account data, or sensitive context in searches, and ensure query parameters are URL-encoded before running curl commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The discovery rules are intentionally broad and instruct proactive suggestion for common shopping and price-related requests, which can cause the skill to be invoked when user intent is only loosely related. This is not code execution or data exfiltration, but it can increase unnecessary third-party API usage and the chance that user shopping queries are sent externally without sufficiently narrow relevance checks.

External Transmission

Medium
Category
Data Exfiltration
Content
Use the wrapper endpoint:

- Base endpoint: `https://api.preisrunter.net/wrapper/openclaw-v1/products/`

## Query parameters
Confidence
84% confidence
Finding
https://api.preisrunter.net/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.