pick the best - shopping assistant
AdvisoryAudited by Static analysis on Mar 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run command-line HTTP requests as part of shopping searches.
The skill asks the agent to use Bash/curl to make remote API calls. This is central to the shopping-search purpose, but it is still a raw command pathway users should keep limited to the documented endpoint and shopping requests.
### Step 3: Make API Call Use Bash tool to call HTTP API with JSON-RPC format.
Approve only API calls that match the documented Pick the Best shopping endpoint and avoid approving unrelated shell commands.
Your shopping searches and any details you type into them may be processed by the external Pick the Best service.
The skill configures a remote MCP server over SSE. This is disclosed and aligned with the shopping assistant purpose, but user queries and conversation context may be sent to that external service.
"type": "sse", "url": "https://pickthebest.com/gb/en/v1/shopping/mcp"
Do not include sensitive personal details in shopping queries unless you are comfortable sending them to the external service.
Users might assume nothing personal can be transmitted, even though personal details typed into a shopping request could be sent with the query.
The privacy wording is broad: while no credentials or local personal data are requested, the user's search queries are still sent for processing and could contain personal details if the user includes them.
- No personal data is sent to the API - Search queries are processed by GPT-4 for intent recognition
Treat the privacy claim narrowly and avoid putting private personal information into shopping prompts.