Skillv1.0.0

ClawScan security

GTS Ecommerce Price Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 30, 2026, 6:18 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files, instructions, and required capabilities are coherent with a competitor price‑monitoring tool; it does not request secrets or perform unexpected network installs, but there are a few minor design choices worth reviewing before use.
Guidance: This skill appears to do what it claims and does not request credentials or install remote code, but review these before enabling: (1) Data storage: it saves configs and history into the skill's scripts/ and reports/ directories — confirm you are comfortable with data being written there or change paths to a workspace directory. (2) Scheduled scans: the skill asks to add recurring cron jobs (openclaw cron add) — only allow if you want automated periodic scraping. (3) Rate limits & TOS: scraping many product pages can trigger anti-bot/captcha or violate sites' terms; follow the recommended rate limits and consider using official APIs where available. (4) Notifications: Telegram/Discord/email behavior depends on your workspace integration; double-check where alerts are sent. (5) Code quality: the included Python scripts are management/report helpers (no obfuscation), but contain minor input/formatting assumptions — review them if you plan to run the CLI locally. If you want higher assurance, ask the publisher for a homepage/source repository and confirm where data will be stored and how scheduled jobs are created.

Review Dimensions

Purpose & Capability: okName/description match what the package does: track product URLs, log prices, run reports, and set alerts. The included Python scripts are management and reporting helpers (no hidden network installers). The SKILL.md expects the agent/browser tool to perform scraping (no separate scraping binary is required), which is reasonable for this use case.
Instruction Scope: noteInstructions explicitly direct the agent to visit arbitrary e-commerce product URLs and extract price/stock/seller info — this is expected. They also instruct the agent to store config/history under scripts/*. The workflow asks the agent to create scheduled scans (openclaw cron add) and to send Telegram/Discord/email notifications using the platform's notification capabilities. No instructions ask for unrelated system secrets, but the skill does instruct the agent to modify scheduling and write persistent files in the skill folder.
Install Mechanism: okNo install spec or external downloads are present (instruction-only plus two local Python scripts). That reduces installation risk. The scripts rely on python3 being available (declared in SKILL.md).
Credentials: noteThe skill requests no environment variables or credentials. It mentions optional integrations (SMTP, Google Sheets, Amazon Product Advertising API) as user-supplied additions, which is reasonable. Be aware that notifications via Telegram/Discord/Workspace messaging rely on the platform's messaging/session APIs rather than new credentials.
Persistence & Privilege: notealways:false (good). The skill recommends creating recurring OpenClaw cron jobs for automated scanning — this grants persistent scheduled runs if the user approves. The scripts write state/history to files under the skill package (scripts/price_history.jsonl, scripts/prices.json, scripts/alerts.json and reports/), which is persistent storage and may be unexpected (some users prefer workspace storage).