ClawHub

Naver Shopping Plus

PassAudited by ClawScan on May 1, 2026.

Overview

The skill coherently performs shopping price comparison, but it uses a Naver API secret and sends searches to external shopping sites, so credentials and search terms should be handled carefully.

This skill appears purpose-aligned for shopping search. Before installing, use a virtual environment, protect the Naver API secret, avoid printing or sharing the secret, and remember that searches are sent to Naver/Coupang/11st. Use moderate request volume to reduce the chance of site blocking.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI03: Identity and Privilege Abuse
What this means

A leaked Naver API secret could let someone else use or abuse the user's API quota or application credentials.

Why it was flagged

The skill expects a Naver API credential and the troubleshooting example prints the secret. This is expected for Naver API access, but the secret should be treated as sensitive.

Skill content
NAVER_Client_ID=your_client_id
NAVER_Client_Secret=your_client_secret ... echo $NAVER_Client_Secret
Recommendation

Use a restricted Naver API key, avoid pasting or echoing the secret in shared logs/chats, and rotate the key if it is exposed.

Low
#ASI07: Insecure Inter-Agent Communication
What this means

Product search terms may be visible to third-party shopping services.

Why it was flagged

The user's search query is sent to Naver, Coupang, and 11st. This data flow is central to the skill's purpose and is disclosed, but users should know search terms leave the local environment.

Skill content
https://openapi.naver.com/v1/search/shop.json?query=...; https://www.coupang.com/np/search?q=...; https://search.11st.co.kr/Search.tmall?kwd=...
Recommendation

Avoid using confidential or sensitive search terms, and use the platform filter if you only want to query specific sites.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Dependency installation depends on the package index and currently resolved versions.

Why it was flagged

The setup uses common Python packages, but the versions are not pinned. This is a normal user-directed setup step, not hidden installation behavior.

Skill content
pip install requests beautifulsoup4 lxml
Recommendation

Install in a virtual environment from a trusted package index, and pin versions or hashes if reproducible installs are important.