Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the high-level purpose (bargain hunting, price comparison). However, claimed capabilities like continuous monitoring, historical price analysis, alerts, and 'full autonomous purchasing' imply persistent storage, platform API access, and credential use — none of which are declared or specified. Saying "Set up API credentials in environment variables as needed" without declaring which credentials or requiring env vars is an inconsistency.
Instruction Scope
SKILL.md is high-level and leaves runtime behavior unspecified. It instructs activation whenever the user mentions buying/shopping and describes monitoring/alerts, but gives no concrete limits on data collection, polling frequency, storage locations, or where alerts are sent. That vagueness grants the agent broad discretion (possible continuous monitoring or arbitrary network access) without bounds.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk install footprint. Nothing will be written to disk by an installer because there is no install mechanism declared.
Credentials
The doc tells users to "Set up API credentials in environment variables as needed for each supported platform," but the skill declares no required env vars or primary credential. For the claimed platform integrations (e.g., e-commerce APIs) you'd normally expect explicit env var names and justification; that mismatch is a red flag because it may later ask for sensitive keys without upfront disclosure.
Persistence & Privilege
Flags show normal defaults (always: false, agent can invoke autonomously). That is expected. However the roadmap explicitly mentions 'full autonomous purchasing flow' in future — if that is implemented later, it could require higher privileges (payment credentials, order placement). The current package does not request those, but the roadmap increases future risk and should be treated cautiously.
What to consider before installing
This skill is not outright malicious, but it lacks important implementation and security details. Before installing or using it, ask the author to: (1) list exactly which platform APIs it will use and the precise environment variables required, (2) describe how monitoring works (frequency, background processes), where data and historical prices are stored, and who can access them, (3) confirm whether the skill can perform purchases autonomously and, if so, require explicit user approval flows and spending limits, and (4) provide a privacy/retention policy for collected data. If you plan to give it access to any payment or API credentials, only do so after you have explicit, concrete answers and prefer testing in a sandbox account. Because the current SKILL.md is vague about these matters, treat it as suspicious until those gaps are closed.Like a lobster shell, security has layers — review code before you run it.
latestvk972r2n4b00x142teyfwmgcdnh841fxr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛒 Clawdis