ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apple Store Deals

v0.1.0

Best Apple product deals

0· 82·0 current·0 all-time
by@hanxueyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the content: searching and comparing Apple product prices across sellers is consistent with the SKILL.md. Roadmap items (price tracking, autonomous purchasing) are reasonable future features but are not implemented now.
Instruction Scope
SKILL.md is instruction-only and stays within the shopping domain (web search, product ranking). However it is quite high-level and open-ended (e.g., 'Find the best prices across authorized resellers'), which grants the agent broad discretion. It also generically instructs to 'Set up API credentials in environment variables as needed' without specifying which services or env var names.
Install Mechanism
No install spec and no code files are present, so nothing is written to disk or fetched at install time.
!
Credentials
Registry declares no required environment variables, but SKILL.md tells operators to 'set up API credentials in environment variables as needed.' This mismatch is concerning because it provides no explicit list of what credentials the skill will use (which services, what scope), leaving room for later requests for unrelated/overly broad secrets.
Persistence & Privilege
Flags are default: not always-on, user-invocable, and can be invoked autonomously by the agent (standard). No evidence the skill attempts to modify other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (find Apple product deals) and is low-risk right now because it's instruction-only with no install. However, the SKILL.md mentions using API credentials but the registry lists none — ask the author which platforms and exact environment variables are required before supplying secrets. Do not provide highly sensitive credentials (Apple ID, payment method, cloud provider keys) directly; prefer read-only or scoped API keys. Also be cautious about the roadmap item 'full autonomous purchasing flow' — if/when implemented, require explicit limits and confirmations before allowing purchases. If you decide to install, test it in a controlled environment and request clarification about what external APIs it will call and what permissions those APIs need.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e85zjh868kjdwk90semzcc183e499

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛒 Clawdis

Comments