ClawHub
Back to skill
v1.0.0

Naver Shopping Plus

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:47 AM.

Analysis

The skill coherently performs shopping price comparison, but it uses a Naver API secret and sends searches to external shopping sites, so credentials and search terms should be handled carefully.

GuidanceThis skill appears purpose-aligned for shopping search. Before installing, use a virtual environment, protect the Naver API secret, avoid printing or sharing the secret, and remember that searches are sent to Naver/Coupang/11st. Use moderate request volume to reduce the chance of site blocking.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
README.md
pip install requests beautifulsoup4 lxml

The setup uses common Python packages, but the versions are not pinned. This is a normal user-directed setup step, not hidden installation behavior.

User impactDependency installation depends on the package index and currently resolved versions.
RecommendationInstall in a virtual environment from a trusted package index, and pin versions or hashes if reproducible installs are important.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
README.md
NAVER_Client_ID=your_client_id
NAVER_Client_Secret=your_client_secret ... echo $NAVER_Client_Secret

The skill expects a Naver API credential and the troubleshooting example prints the secret. This is expected for Naver API access, but the secret should be treated as sensitive.

User impactA leaked Naver API secret could let someone else use or abuse the user's API quota or application credentials.
RecommendationUse a restricted Naver API key, avoid pasting or echoing the secret in shared logs/chats, and rotate the key if it is exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/search.py
https://openapi.naver.com/v1/search/shop.json?query=...; https://www.coupang.com/np/search?q=...; https://search.11st.co.kr/Search.tmall?kwd=...

The user's search query is sent to Naver, Coupang, and 11st. This data flow is central to the skill's purpose and is disclosed, but users should know search terms leave the local environment.

User impactProduct search terms may be visible to third-party shopping services.
RecommendationAvoid using confidential or sensitive search terms, and use the platform filter if you only want to query specific sites.