Skillv1.0.3

ClawScan security

Taobao Competitor Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 31, 2026, 10:00 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (cross‑platform price/competitor comparison using visible browser data) matches its instructions and it requests no installs, credentials, or unusual system access.
Guidance: This skill appears coherent and focused, but consider the following before use: (1) Prefer the isolated browser: only let the agent use your Chrome tab if you understand it may see cookies, logged‑in session state, personalized prices or other private page contents. (2) The skill intentionally avoids APIs and hidden endpoints — results depend on what is visibly shown in the page and may miss app‑only offers. (3) If you need absolute price/legal guarantees (coupons, membership prices, regional offers), verify on the platforms directly before purchasing. (4) You don't need to supply any credentials to install — decline granting access to your real browser if you want to avoid exposing account data.

Purpose & Capability: okName, description, README, and SKILL.md consistently describe a browser‑based comparison tool for Taobao vs JD/PDD/Vipshop; there are no unrelated env vars, binaries, or install steps requested.
Instruction Scope: noteInstructions stay focused on collecting visible page data, matching rules, and decision logic. One notable allowance: prefer the isolated OpenClaw browser but use the user's Chrome tab if the user explicitly asks — that can expose logged‑in session data or other personal info if the user consents. Otherwise the scope is appropriate and explicitly forbids hidden APIs and scraping shortcuts.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is written to disk or fetched during install.
Credentials: okNo required environment variables, credentials, or config paths are declared — consistent with a browser‑visible data collector that does not call external APIs.
Persistence & Privilege: okDefaults used (always: false, agent invocation allowed). The skill does not request permanent presence or modify other skills or system settings.