Skillv1.0.0

ClawScan security

Uquid Shop Bot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 3, 2026, 1:41 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior generally matches a Uquid shopping assistant, but it claims to be 'official' while the registry provides no homepage or verifiable source; that mismatch and the skill's need to browse real-time pages merits caution.
Guidance: This skill appears to be a coherent shopping assistant, but it explicitly calls itself 'Official' while the registry shows no homepage or verifiable source — treat that claim as unverified. Before installing/use: 1) verify publisher identity (look for an official Uquid listing or contact Uquid support); 2) do not paste or type private keys or seed phrases into chat or into pages the agent opens; 3) when the agent provides links, confirm they are exactly on uquid.com, shop.uquid.com, or nft.uquid.com (watch for lookalike domains); 4) be aware that the agent will use live web browsing/search tools — any sensitive data you enter into visited pages could be exposed to the agent; and 5) if you need strong assurance this is an official integration, ask the vendor for an official integration URL or signed metadata before trusting the skill.

Purpose & Capability: noteName, description, and runtime instructions consistently describe a Uquid shopping assistant that uses web search/browsing to find products and recommend payments. However, the skill claims to be the 'Official' Uquid assistant yet has no homepage, no source repository, and no verifiable publisher metadata in the registry — this is a credibility mismatch (marketing claim vs. registry evidence).
Instruction Scope: okSKILL.md stays within shopping scope: it instructs the agent to ask product type/budget/cashback preferences and to use browse_page or web_search limited to uquid domains, compare multiple options, and guide payment choices. It explicitly forbids asking for seed phrases/private keys. The only operational risk is that real-time browsing may expose user-provided payment details if the user pastes them into pages; the instructions do not request system files, extra environment vars, or exfiltration to third-party endpoints.
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal filesystem footprint and no downloads.
Credentials: okThe skill declares no required environment variables, credentials, or config paths — appropriate for a browsing/search-based shopping assistant.
Persistence & Privilege: okalways is false and the skill can be invoked by users or by the agent normally; no elevated or persistent privileges are requested.