Back to skill
Skillv1.3.1
ClawScan security
Agent Negotiation Strategies: Game Theory, Auctions, and Dynamic Pricing for AI Agent Commerce · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 7:11 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- An instruction-only educational guide that appears to provide negotiation strategies and Python examples against a stated sandbox API and does not request credentials, installs, or elevated privileges.
- Guidance
- This appears to be an educational guide that uses a public sandbox and does not request credentials or installs. Before using code from the guide: (1) review any example code if you plan to run it locally (it may assume Python packages like requests or numpy); (2) never paste production API keys or real financial credentials into third-party examples or sandboxes without verifying the service and its terms; (3) verify the GreenHelix sandbox URL yourself (https://sandbox.greenhelix.net was referenced) and confirm you understand its data retention and privacy policy; (4) if you plan to adapt examples to a production gateway, create dedicated service credentials with least privilege and test thoroughly in a controlled environment. If you want, I can scan the full SKILL.md for specific code snippets that call external endpoints or require packages and highlight any lines that would need closer review.
Review Dimensions
- Purpose & Capability
- okThe name and description promise negotiation strategies and example code against the GreenHelix gateway; the skill is instruction-only, requests no binaries or env vars, and explicitly states examples use a sandbox with no API key — this is consistent with the stated purpose.
- Instruction Scope
- okThe runtime instructions are a guide and illustrative code snippets (no executable install or agent-run hooks). The provided excerpt only references the GreenHelix sandbox and negotiation topics; there are no indications in the visible content that the guide instructs reading unrelated local files, harvesting credentials, or sending data to unexpected endpoints.
- Install Mechanism
- okNo install spec and no code files — the skill is instruction-only, so it does not write or execute code on disk. This is the lowest-risk install profile.
- Credentials
- okNo required environment variables, credentials, or config paths are declared. The guide states the sandbox requires no API key, so the lack of credentials is proportionate to the stated sandbox-driven examples.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request permanent presence or modification of other skills. Autonomous invocation is allowed by default but not combined with other red flags here.