Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Kiza Negotiator
v0.1.0AI agent that automates marketplace negotiations, offer responses, deal closing, and pricing with customizable styles and 24/7 availability.
⭐ 0· 89·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises marketplace negotiations, escrow handling, and ACP integration, but the skill declares no required environment variables, no primary credential, and no config paths. A negotiator that interacts with marketplaces would reasonably need API keys, marketplace identifiers, and explicit integrations; those are missing.
Instruction Scope
SKILL.md instructs running commands like 'clawhub install kiza-negotiator' and 'kiza-nego init/start', and references escrow, logging, and market watching, but there is no bundled binary or install spec and no concrete instructions for which marketplace APIs, endpoints, or credentials to use. That leaves broad, unspecified agent actions and failing/ambiguous runtime behavior.
Install Mechanism
There is no install specification and no code files (instruction-only). Yet the README-style instructions assume an external 'kiza-nego' binary will be installed/available. This mismatch is risky because the skill's runtime behavior depends on software that is not provided or documented in the registry entry.
Credentials
The SKILL.md explicitly requires 'Valid marketplace credentials' and 'OpenClaw with ACP integration' but the registry lists no required env vars or primary credential. Credentials with names like API keys or tokens should be declared and justified; their absence is an incoherence and a red flag for hidden credential needs.
Persistence & Privilege
The skill does not request always:true and uses default autonomous-invocation behavior. Autonomous invocation is normal for skills, but combined with the other gaps (undocumented external binaries, missing credential declarations), that autonomy increases potential risk. There is no indication the skill modifies other skills or system-wide settings.
What to consider before installing
Do not install or provide real marketplace credentials yet. Ask the publisher for: (1) source repository or official homepage, (2) a concrete install mechanism (release URL, package name, checksums), (3) exact environment variables and permissions required (which marketplaces, what keys/tokens), (4) where logs and escrow operations are stored and which escrow providers are used, and (5) an auditable code or binary you can review. If you test, use a sandbox or limited-capability test account, verify network endpoints, and never hand over production credentials until you can inspect the code and confirm the install source is legitimate.Like a lobster shell, security has layers — review code before you run it.
acpvk97573ha4xgask5q5bahknqmf983720elatestvk97573ha4xgask5q5bahknqmf983720emarketplacevk97573ha4xgask5q5bahknqmf983720enegotiatorvk97573ha4xgask5q5bahknqmf983720e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.