ClawHub
Back to skill
v1.0.2

Haresh Product Search

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:22 AM.

Analysis

This is a small product-search webhook skill with no credentials or persistence, but users should verify the n8n webhook destination because the documentation and code do not name the same endpoint.

GuidanceBefore installing, verify which n8n webhook this skill will call and make sure it is your trusted product-search workflow. The artifacts do not show credential use, persistence, or broad local access, but users should avoid including sensitive information in product search queries until the endpoint is confirmed.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Use exec tool to POST to n8n webhook at http://localhost:5678/webhook/product-search

The workflow directs the agent to issue a webhook POST through an exec-style tool. This is consistent with the stated product-search purpose, but it is still command/network activity that should remain tightly scoped.

User impactA product search request may trigger a local n8n workflow when the agent decides the user is asking to search products.
RecommendationVerify the n8n workflow and keep the POST target and payload limited to the documented product-search use case.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
_meta.json
"version": "1.0.1"

The supplied registry metadata lists version 1.0.2, while the included _meta.json lists 1.0.1. This is a provenance/packaging consistency issue rather than evidence of harmful behavior.

User impactThe installed package version may be harder to confirm from the included metadata.
RecommendationConfirm the published version and update package metadata so all artifacts identify the same release.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
index.js
fetch("https://your-n8n-webhook-url", { ... body: JSON.stringify({ query }) })

The code sends the user's query to a webhook, and the code endpoint differs from the localhost webhook described in SKILL.md. This makes the final data boundary dependent on configuration.

User impactProduct search terms will be sent to the configured n8n webhook; if a user includes private details in a search, those details go to that service.
RecommendationConfigure only a trusted n8n endpoint, disclose the destination to users, and avoid putting sensitive personal or business data in product search queries.