ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Haresh Product Search

v1.0.2

Search e-commerce products via n8n webhook integration

0· 402·1 current·1 all-time
byHaresh Sainaath S@haresh-sai06

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for haresh-sai06/haresh-product-search.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Haresh Product Search" (haresh-sai06/haresh-product-search) from ClawHub.
Skill page: https://clawhub.ai/haresh-sai06/haresh-product-search
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install haresh-sai06/haresh-product-search

ClawHub CLI

Package manager switcher

npx clawhub@latest install haresh-product-search
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to integrate with an n8n webhook (reasonable for a product-search skill). However, there is no declared or required webhook URL or configuration. The code hard-codes a placeholder URL (https://your-n8n-webhook-url) instead of reading a configurable environment variable, so the skill as packaged cannot reliably reach the intended service. That omission is disproportionate to the stated purpose and suggests incomplete/incorrect packaging.
!
Instruction Scope
SKILL.md tells the agent to use an exec tool to POST to http://localhost:5678/webhook/product-search, while the actual runtime code (index.js) performs a fetch to a different placeholder URL (https://your-n8n-webhook-url). This conflict is material: following SKILL.md would try to contact localhost, while invoking the provided tool runs code that contacts an external URL. The instructions do not request reading unrelated files or secrets, but the mismatch creates ambiguity about outbound network targets (local vs external), which is a security-relevant inconsistency.
Install Mechanism
No install spec is provided (instruction-only with a small code file). That minimizes disk-install risk — nothing is downloaded from remote installers during installation.
!
Credentials
The skill declares no required environment variables or credentials, but its code needs a webhook URL to function and instead contains a hard-coded placeholder. A properly designed webhook integration would require a configurable URL (and possibly an API key) declared in requires.env. The lack of declared configuration means either the package is incomplete or it expects a developer to edit the code, both of which are problematic from a security/operational standpoint.
Persistence & Privilege
The skill does not request persistent/all-skill privileges (always:false) and does not modify other skills. Normal autonomous invocation is allowed by default but is not combined with other red flags here.
What to consider before installing
This skill is internally inconsistent and should not be used until corrected. Key things to check or require from the author before installing: - Provide a configurable webhook URL (e.g., N8N_WEBHOOK_URL) declared in requires.env instead of a hard-coded placeholder. - Resolve the mismatch between SKILL.md (which instructs an exec POST to localhost) and index.js (which does a fetch to an external placeholder). Confirm whether the webhook target is meant to be localhost or an external n8n instance. - If the webhook will be an external endpoint, verify the endpoint is trusted and requires authentication; do not allow the skill to post arbitrary user data to an untrusted third party. - Prefer returning the tool behavior in code and keep SKILL.md instructions aligned and specific (avoid open-ended exec guidance that could run arbitrary shell commands). - Ask the author for a new release with proper configuration, documented auth requirements (if any), and matching docs/code before enabling the skill. If you must test, run it in an isolated environment with network egress controls so you can observe and restrict where it posts.

Like a lobster shell, security has layers — review code before you run it.

latestvk974e039ehm8fz6zzr72p7txgs8270h8
402downloads
0stars
3versions
Updated 22h ago
v1.0.2
MIT-0
Haresh Sainaath S@haresh-sai06
latest
Download

Product Search Skill

Purpose

Enables users to search for products in the e-commerce catalog using natural language queries.

When to Use

  • User asks to find products, search inventory, or browse catalog
  • User mentions specific product types, categories, or brands
  • User provides price constraints or filtering requirements

Workflow

  1. Parse user intent to extract search parameters:

    • Product category (e.g., "running shoes", "laptops")
    • Price constraints (e.g., "under $100", "between $50-$200")
    • Sort preferences (e.g., "cheapest first", "highest rated")

  2. Transform parameters into JSON payload with category, price_min, price_max, sort_by

  3. Use exec tool to POST to n8n webhook at http://localhost:5678/webhook/product-search

  4. Parse n8n response and present results to user in friendly format

Parameter Mapping

  • Category synonyms: "gym shoes" becomes "fitness", "sneakers" becomes "footwear"
  • Price parsing: "under X" sets price_max to X
  • Sort options: "cheapest" sorts price ascending, "best" sorts by rating

Error Handling

  • If no results: Suggest broader search terms
  • If webhook fails: Inform user search service is unavailable
  • If timeout: Ask if user wants to wait or retry

Comments

Loading comments...