Skillv1.1.0

ClawScan security

Gas Price Alert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:44 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with a gas-price lookup/alert tool — it uses OpenStreetMap/Overpass and optional GasBuddy scraping, requests no secrets, and requires only normal Python packages.
Guidance: This skill appears coherent and implements the declared functionality. Before installing: (1) Understand notifications — the SKILL.md mentions sending summaries via Telegram but the included scripts do not perform that step, so you must configure your agent/OpenClaw notifications or add a Telegram integration (which would require a token). (2) If you want real-time prices, the optional GasBuddy scraping requires Playwright or an API key and will perform web requests to GasBuddy; ensure you are comfortable with the additional dependencies and that scraping complies with GasBuddy's terms. (3) The scripts make outbound HTTP requests to public services (Overpass/OpenStreetMap and optionally GasBuddy) — if you have network policies, allow or review those endpoints. (4) No secrets are required by default, but if you wire in notification channels or a GasBuddy API key, treat those as sensitive. If you want, I can point out the exact lines to change to add Telegram posting or to remove the optional Playwright dependency.

Review Dimensions

Purpose & Capability: okName/description match the included artifacts: scripts search OSM/Overpass, include a hard-coded Costco list, estimate prices, and optionally scrape GasBuddy. All requested files and dependencies (requests, geopy, optional Playwright) are reasonable for the stated purpose. One minor mismatch: SKILL.md says the agent will "send the summary via Telegram" but the bundled scripts do not implement Telegram sending or require a TELEGRAM token — the skill appears to assume the host/agent will deliver notifications separately.
Instruction Scope: noteRuntime instructions limit actions to geocoding, Overpass queries, local estimation logic, and optionally GasBuddy scraping via Playwright. The instructions do not ask the agent to read unrelated system files or environment variables. They do assume the OpenClaw cron/notification system or an external channel (Telegram) for delivery; the skill does not include code to configure or send to Telegram, so you must provide notification plumbing yourself.
Install Mechanism: okThere is no automatic install spec. The README/SKILL.md suggests installing Python packages with pip (requests, geopy) and optionally Playwright. That is proportionate and does not pull code from arbitrary URLs or create executables in unexpected locations.
Credentials: okThe skill declares no required environment variables or credentials. The GasBuddy script supports an optional API key passed at runtime but does not demand secrets. No config paths or unrelated credentials are requested.
Persistence & Privilege: okalways:false (normal). The skill does not request persistent elevated privileges or modify other skills. It can be scheduled via OpenClaw cron, which is expected for an alerting skill.