Back to skill
Skillv1.0.0
ClawScan security
Mercado Libre · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 9:59 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested resources and runtime instructions match its Mercado Libre marketplace purpose and do not ask for unrelated credentials or installs.
- Guidance
- This skill appears coherent and limited to marketplace workflows. Before installing, confirm you are comfortable with the agent creating and updating files in ~/mercado-libre/ (these will hold memory, watchlists, and logs). Only provide Mercado Libre account credentials or API tokens when you explicitly ask the skill to perform live buys, sells, or automations — and prefer storing those secrets in your secret manager rather than pasting them into chat or local files. Review setup.md and automation.md to ensure automation guardrails meet your tolerance for automated write actions, and always require explicit confirmation before allowing any purchase or listing changes.
- Findings
[no-findings] expected: No code files were present and the regex-based scanner had nothing to analyze; this is expected for an instruction-only skill. Security-relevant behavior is described in the SKILL.md and accompanying markdown files.
Review Dimensions
- Purpose & Capability
- okName/description (search, compare, buy, sell, automate) align with requested artifacts: a local config/memory directory (~/mercado-libre/) and optional Mercado Libre account/API tokens for live actions. No unrelated cloud credentials, binaries, or odd install steps are requested.
- Instruction Scope
- okAll runtime instructions are documented in the included markdown files and limit actions to search/compare/decision workflows, local note storage, and explicit, confirmed write actions (purchases, listing updates, automations). The skill explicitly forbids persisting credentials by default and requires explicit confirmation before live write operations.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing will be downloaded or written other than local memory files under ~/mercado-libre/. This is the lowest-risk install model and is proportionate to the stated purpose.
- Credentials
- okNo required environment variables or primary credential are declared. The docs state a Mercado Libre account or API token is only needed for live buy/sell/automation and should be stored in user-managed secret storage — this is proportionate and scoped to the described functionality. The only required config path is ~/mercado-libre/, which matches the declared memory usage.
- Persistence & Privilege
- okThe skill does persist local memory under its own directory, which is expected and declared. always:false and normal autonomous invocation are used. The skill does not request system-wide or cross-skill configuration changes or Always-on privileges.