v1.0.1

Mai Shopping Assistant

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:25 AM.

Analysis

This is an instruction-only shopping advice skill with no code, credentials, persistence, or payment authority, and its behavior matches its stated purpose.

GuidanceThis skill appears safe as a shopping-advice prompt package. Treat its recommendations as decision support rather than financial advice, verify prices and sellers independently, and review any downstream commerce skill before sharing sensitive budget, account, or payment information.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

_meta.json

"ownerId": "harrylabsj", "slug": "mai", "version": "1.0.0"

The supplied registry metadata lists a different owner ID and version 1.0.1, while the embedded _meta.json lists ownerId harrylabsj and version 1.0.0. This is a package provenance/version consistency issue, though the skill has no executable code or install step.

User impactThe publisher/version lineage is less clear than ideal, but this does not show malicious behavior in the provided instruction-only artifacts.

RecommendationIf provenance matters, verify the registry entry or package source before relying on it.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityInfoConfidenceHighStatusNote

SKILL.md

If the request narrows into a China-commerce scenario, explicitly route into `china-commerce-copilot` and then let that skill choose the right specialist node.

The skill discloses that some requests may be handed to another named skill. This is aligned with the shopping-router purpose, but the downstream skill is not included in these artifacts.

User impactA China-marketplace shopping request, including any product preferences or budget details you provide, may be handled by another skill.

RecommendationReview the downstream skill if you plan to use that route, and avoid sharing payment credentials or account access unless a trusted, purpose-built skill clearly requires them.