Group Buy Helper
Security checks across malware telemetry and agentic risk
Overview
This skill appears to match its stated purpose, with only minor notices about local activity storage and an external shared storage helper.
This looks safe for ordinary group-buy and bargain analysis. Before using activity tracking, be aware that campaign details such as item names, prices, expiry times, and links may be saved locally until cleared by the environment or a future deletion feature.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Tracked campaign details may remain in local storage and be returned in later activity checks.
The skill persists user-provided activity details locally for later status checks. This is aligned with the advertised activity-tracking feature, but it may retain shopping links or campaign details beyond the immediate conversation.
this.store = new LocalStore('group-buy-helper'); ... activities.push({ ...activity, id: `act_${Date.now()}`, createdAt: new Date().toISOString(), status: 'active' }); this.store.set('activities', activities);Only track activities you are comfortable storing locally, and prefer clear documentation or controls for clearing old tracked activities.
The skill depends on platform/shared code for local persistence rather than being fully self-contained.
The code relies on a shared storage module outside the two-file manifest. This appears to support the disclosed tracking feature, but the helper itself is not included in the supplied artifacts.
const { LocalStore } = require('../../shared/storage/local-store');Confirm that the shared storage helper is a trusted platform component and that persistence behavior is documented.