ClawHub

Gift Genius

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: gift-genius Version: 4.0.0 The skill is designed for gift recommendations and uses `curl` to interact with an e-commerce API (`dashboard.airshelf.ai`) and various merchant websites. While the stated purpose is benign, the `SKILL.md` file demonstrates `curl` commands that directly embed user-controlled input (e.g., `q=QUERY`) into shell commands. If the AI agent executing these instructions does not rigorously sanitize user input before constructing and executing the `curl` commands, this presents a significant shell injection vulnerability. There is no evidence of intentional malicious behavior, but the potential for exploitation due to this vulnerability makes it suspicious.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

The assistant may be able to create or start a merchant checkout for selected items.

Why it was flagged

The skill documents a POST request that can start a checkout flow. This is purpose-aligned for a shopping assistant and the example conversation asks whether to start checkout, but users should ensure the agent does not initiate checkout without explicit approval.

Skill content
curl -s -X POST "https://dashboard.airshelf.ai/api/merchants/MERCHANT_ID/checkout"
Recommendation

Confirm the exact product, quantity, price, delivery assumptions, and merchant before allowing any checkout action.

NoteHigh Confidence
ASI07: Insecure Inter-Agent Communication
What this means

Personal gift preferences or budget details may be shared with the product-search service.

Why it was flagged

Gift preferences, approximate budget, and recipient-related search terms are sent to the external dashboard.airshelf.ai API. This is disclosed and necessary for the recommendation function, but it is still an external data flow.

Skill content
curl -s "https://dashboard.airshelf.ai/api/search?q=QUERY&merchant_ids=MERCHANT_ID&min_price=MIN&max_price=MAX&limit=5"
Recommendation

Avoid including highly sensitive personal details in gift queries, and review results before clicking or purchasing.