ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Promotion Engine

v1.0.0

Retail promotion calculator and discount lookup for digital employees. Computes final prices after applying discounts, bundles, thresholds, and membership ti...

0· 80·0 current·0 all-time
by@fangwei-frank
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description = retail promotion calculator. The included script implements core threshold and percent discounts and membership discounts, which is coherent with the purpose. However SKILL.md advertises support for bundles, gifts, member_price, and more complex rules; the script does not implement bundle/gift/member_price parsing or bundle-specific logic. This is a functional mismatch (over-promised features).
!
Instruction Scope
SKILL.md instructs the agent to use scripts/calculate_promotion.py and a knowledge_base.json containing promotions[] and membership{}. The script reads an arbitrary --kb path (Path(args.kb).read_text()) and will JSON-load whatever file is passed. There is no guidance or enforcement limiting which file may be supplied; if the agent is given a path outside the intended KB, the script will read that file (if readable). This increases the risk of exposing or operating on unrelated sensitive JSON data. No network calls or external endpoints are present.
Install Mechanism
No install spec (instruction-only with a bundled script). Nothing is downloaded or written by an installer. The script itself is a local file and is executed directly; low installation risk.
Credentials
No required environment variables, no credentials, and no config paths declared. The script only needs a path to a JSON knowledge base and an items JSON payload — these are proportionate to the stated functionality. However, because the KB path is unrestricted, the opportunity to read arbitrary JSON files should be considered.
Persistence & Privilege
Skill is not always-enabled and does not request elevated/persistent privileges. It does not modify other skills or system configuration. Autonomous invocation is allowed by default (normal), but this combined with the unconstrained KB path is why caution is warranted.
What to consider before installing
What to consider before installing or using: - Functionality mismatch: the SKILL.md promises bundle/gift/member_price handling but the script only implements threshold and percentage discounts (and membership rate). If you need bundle/gift logic, ask the author to provide tests or implement those rules. - KB file access: the script reads whatever JSON file path you pass via --kb. Make sure the agent is only given a sanitized knowledge_base.json (no secrets, tokens, or unrelated sensitive data) and consider running the skill in a sandboxed environment. - Review/QA: inspect promo examples and test edge cases (bundles, BOGO, excluded items, stackability) with sample KBs before trusting customer-facing outputs. - Missing references: SKILL.md references references/promo-rules-guide.md which is not included; ask the publisher for that document if you need the authoritative rule parsing spec. - If you plan to allow autonomous agent runs, restrict the agent’s ability to choose arbitrary file paths or validate the --kb argument to prevent accidental data exposure.

Like a lobster shell, security has layers — review code before you run it.

latestvk971khpj984s920nzff6pe64j183ex2t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏷️ Clawdis

Comments