Back to skill
Skillv1.0.0
ClawScan security
Group Buy Helper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 9:26 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required surface are coherent with its stated purpose (analyzing group-buys and bargains); it stores activity data locally and does not request credentials or reach out to external endpoints.
- Guidance
- This skill appears to do what it claims: analyze bargains/groups, suggest strategies, generate share text, and persist activity records locally. Before installing, consider: 1) The skill stores activity data (item names, links, prices, timestamps) in the platform's LocalStore — confirm you are comfortable with that storage and its retention/access controls. 2) There are no network calls or credential requests in the code, so it does not exfiltrate data by itself, but generated share text may include any links you supply — avoid embedding sensitive tokens in those links. 3) The estimations are simple heuristics (not official probabilities); treat recommendations as advisory. If you want extra assurance, inspect or sandbox the platform's shared storage implementation (../../shared/storage/local-store) to confirm access rules and persistence behavior.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: functions for bargain analysis, group-deal analysis, share-text generation, activity tracking, and status checks are present. No unrelated binaries, credentials, or platform access are requested.
- Instruction Scope
- noteSKILL.md stays on-topic (asks for price, remaining people/time, platform). The runtime code persists activities using a LocalStore and reads/writes those records when tracking/checking activities — this is reasonable for 'activity tracking' but worth noting because user data is stored locally by the skill.
- Install Mechanism
- okNo install step or external downloads; the skill provides code only and relies on the platform's shared LocalStore module. No archives or third-party package installs are requested.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. All data it needs are passed in function inputs per SKILL.md.
- Persistence & Privilege
- notealways:false and normal invocation. The skill writes and updates records in a LocalStore under the 'group-buy-helper' namespace (activities list). This is expected for tracking but means data (links, item names, timestamps) will be persisted locally — verify retention and who can access the platform storage.