ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gift Genius

v4.0.0

Location-aware Valentine's Day gift finder. Routes US users to premium flowers (UrbanStems), Singapore users to wellness supplements (Avea Life). Returns curated picks with Decision Packs — no decision fatigue, just 2-3 perfect options.

0· 1.4k·1 current·3 all-time
by@evoleinik
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the instructions: it queries an external product search API and returns curated picks. Required binary (curl) is appropriate and proportional. Hardcoded merchant IDs and product guidance are plausible for a marketplace-driven recommender.
Instruction Scope
SKILL.md contains precise curl commands to search and to POST to a checkout endpoint on dashboard.airshelf.ai. It does not instruct reading unrelated files or env vars, but it does recommend initiating a checkout POST without documenting authentication or consent flow — that may be operationally incomplete (checkout likely requires auth) and could mislead the agent into attempting failing or unauthorized actions.
Install Mechanism
Instruction-only skill with no install spec or code files. This is low-risk from an install/execution standpoint (nothing written to disk).
Credentials
No environment variables or credentials are requested, which is consistent with being a read-only recommender. The lack of credentials is notable given the presence of a checkout API call, but that is an operational, not necessarily malicious, inconsistency.
Persistence & Privilege
Skill does not request always:true or other elevated persistent privileges and is user-invocable only. It does not modify other skills or system-wide settings.
Assessment
This skill is instruction-only and generally coherent: it uses curl to call an external search API and returns curated product picks. Before installing, consider: 1) the skill's source and homepage are unknown — verify you trust dashboard.airshelf.ai and the provided merchant IDs (UrbanStems / Avea Life) before letting an agent perform API calls. 2) The SKILL.md includes a checkout POST but provides no authentication details — the agent may not be able to complete purchases and should never be given payment credentials or full account tokens. 3) If you expect the agent to actually place orders, require explicit user confirmation and a documented auth flow (OAuth/API keys) rather than relying on an instruction that posts to a checkout endpoint. If you want higher assurance, ask the skill author for source code or a homepage and for clarification about how checkout/auth is supposed to work.

Like a lobster shell, security has layers — review code before you run it.

latestvk971k79yv12jttm68s502kzfz5810fj4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎁 Clawdis
Binscurl

Comments