Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
price-tracker
v1.0.2Monitor product prices across Amazon, eBay, Walmart, and Best Buy to identify arbitrage opportunities and profit margins. Use when finding products to flip,...
⭐ 0· 70·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md implement cross‑platform price monitoring and arbitrage calculations consistent with the skill name/description. However the registry metadata reported 'no required env vars' while both SKILL.md and scripts require SKILLBOSS_API_KEY (os.environ["SKILLBOSS_API_KEY"]). Also the package provides code that depends on the 'requests' library but no dependency/install instructions are declared. These mismatches are unexpected and reduce confidence.
Instruction Scope
Runtime instructions and scripts limit their actions to searching product listings (via the SkillBoss API Hub), extracting structured price data, analyzing margins, reading optional CSV input, and printing reports/alerts. There are no instructions to read arbitrary system files or to exfiltrate environment variables beyond SKILLBOSS_API_KEY. The scripts do post data to an external service (https://api.skillboss.co/v1/pilot) as intended by the design.
Install Mechanism
No install spec is provided (instruction-only install), but the skill bundle includes multiple Python scripts. There is no guidance to install Python dependencies (requests). Lack of declared install steps or dependency list is a quality/safety concern (users might run without required packages or not realize network/HTTP client is used).
Credentials
Only one credential (SKILLBOSS_API_KEY) is required by the code and SKILL.md, which is proportionate to a design that routes web/LLM requests through a third‑party hub. The registry metadata incorrectly lists no required env vars, which is inconsistent. The skill does not request unrelated credentials or system config paths.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. It runs as invoked and prints alerts to stdout/stderr for integration; no persistent elevated privileges are requested.
What to consider before installing
Key things to consider before installing: (1) The code requires SKILLBOSS_API_KEY (the scripts call https://api.skillboss.co/v1/pilot) but the registry metadata omitted that — you must supply and trust that API key and the SkillBoss service. (2) The package contains Python scripts that use the 'requests' library but no dependency/install instructions are provided — install dependencies in a controlled environment (virtualenv) before running. (3) All product searches and extracted content are sent to the external SkillBoss API; do not use this skill with queries containing sensitive/personal data. (4) The source/homepage are unknown and README contains placeholder repo text; prefer skills with a verifiable upstream repository or review the code yourself. (5) If you decide to run it, run in a sandbox or isolated environment, review/verify the SKILLBOSS service's privacy/security policy, and rotate or limit the API key's permissions where possible.Like a lobster shell, security has layers — review code before you run it.
aivk97b0yxfqk369s65hvcxh93t1584wnajautomationvk979aydtamz6c9w845t38v2xnd84tck8latestvk97b0yxfqk369s65hvcxh93t1584wnajtoolsvk979aydtamz6c9w845t38v2xnd84tck8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.