Skillv0.2.0

ClawScan security

Supermarket Offer Watcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 10:32 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and instructions are consistent with a local grocery watchlist that searches the web for offers, but there are a few minor inconsistencies and things to check before installing (notably Python is required but not declared, and the source/homepage is unknown).
Guidance: This skill appears to do what it says: manage a local watchlist and use the agent's web search/fetch tools to find deals. Before installing, consider: 1) Python 3 is required to run the included script but is not listed in the metadata—ensure your agent environment provides python3. 2) The skill will fetch external web pages (via web_fetch) to validate offers — confirm you are comfortable with the agent accessing arbitrary retailer pages and that any fetched content is acceptable to be read/processed. 3) Data is stored under /data/workspace/data/supermarkt-watchlist.json; ensure that path is writable and you are OK with storing location and product lists there. 4) The package source/homepage is unknown — if you prefer verified sources, request a published source or repository before installing. If you want higher assurance, ask the publisher for a link to a repository or release artifacts and verify the Python requirement is declared.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (maintain a local watchlist and check nearby supermarket deals) matches the included files and workflow. However, SKILL.md instructs running python3 scripts/watchlist.py, yet the registry metadata lists no required binaries; Python3 should be required but isn't declared. Also the skill assumes the agent has web_search/web_fetch capabilities (reasonable for this purpose) and a writable /data/workspace path.
Instruction Scope: okSKILL.md stays within scope: it reads and writes a local JSON watchlist, describes performing web_search and web_fetch to validate offers, deduplicates results, and formats alerts. It does not instruct reading unrelated system files or contacting arbitrary endpoints beyond fetching result page URLs. The instructions for cron use are explicit and recommend isolated sessionTarget.
Install Mechanism: okThere is no install spec (instruction-only plus a small local script), so nothing will be downloaded or executed during install. The included Python script is small and only manages the JSON data file; no third-party installs are required by the package itself.
Credentials: okThe skill requests no environment variables, credentials, or config paths beyond a local workspace file (/data/workspace/data/supermarkt-watchlist.json). This is proportionate to its purpose.
Persistence & Privilege: okThe skill does not request always:true and uses the platform's normal autonomous invocation defaults. It manages only its own data file and does not attempt to modify other skills or system-wide configuration.