Gas Price Alert

PassAudited by ClawScan on May 10, 2026.

Overview

The skill appears purpose-aligned for finding gas stations and setting optional daily alerts, but it sends search locations to external services and asks users to install unpinned Python dependencies.

This looks safe for typical use if you are comfortable sharing searched ZIP codes or coordinates with public mapping/gas services. Install dependencies carefully, and only enable the daily cron alert if you want ongoing automated searches.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Your searched location may be shared with external services and, for the Overpass request shown, may be observable or alterable on the network.

Why it was flagged

The station search sends an area derived from the user's latitude/longitude and radius to the public Overpass API, and the visible endpoint uses HTTP.

Skill content

overpass_url = "http://overpass-api.de/api/interpreter" ... bbox = f"{lat-delta_lat},{lon-delta_lon},{lat+delta_lat},{lon+delta_lon}" ... response = requests.post(overpass_url, data=query, headers=headers, timeout=30)

Recommendation

Use the skill only for locations you are comfortable querying through third-party services; prefer HTTPS endpoints if modifying the script.

Low

#ASI10: Rogue Agents

What this means

If you enable the cron job, OpenClaw may keep running gas-price searches and notifications every day until you disable it.

Why it was flagged

The skill documents a recurring agent turn for daily gas-price alerts. This is disclosed and central to the alerting purpose, but it is still persistent scheduled behavior.

Skill content

"schedule": { "kind": "cron", "expr": "0 8 * * *" ... }, "payload": { "kind": "agentTurn", "message": "Get me gas prices for Columbus, OH this morning..." } ... "This runs every day at 8 AM Eastern Time."

Recommendation

Only create the cron schedule if you want recurring alerts, and remember to remove or update it when your location, fuel type, or notification preference changes.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing dependencies may download current package versions or browser binaries from external sources.

Why it was flagged

The documentation asks users to install unpinned Python packages and, optionally, Playwright/browser components. This is purpose-aligned but relies on package provenance outside the skill artifacts.

Skill content

pip install requests geopy ... pip install playwright ... playwright install

Recommendation

Install in a trusted environment, consider pinning package versions, and use the optional Playwright path only if you need GasBuddy scraping.