ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nex Pricewatch

v1.0.0

Monitor competitor and supplier website prices using CSS, XPath, or regex selectors; track changes with alerts, view history, trends, and export data locally.

1· 19·0 current·0 all-time
byNex AI@nexaiguy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code (scraper, storage, alerter, CLI) implements the described price-watching features and stores data locally (~/.nex-pricewatch). Metadata and files are consistent with a price-monitor tool. However the SKILL.md metadata lists a homepage (nex-ai.be) while the registry header shows 'Homepage: none' and the top-level requirements block shows no env vars even though SKILL.md declares Telegram env vars — minor metadata mismatches.
!
Instruction Scope
Runtime instructions ask the user to run setup.sh and use the CLI to add arbitrary target URLs and selectors. The scraper will fetch any URL you configure (using urllib), save HTML snapshots to ~/.nex-pricewatch/snapshots, and run regex/CSS/XPath extraction. Fetching arbitrary URLs is expected for the skill's purpose but creates SSRF/host-reachability risks if supplied with internal or sensitive endpoints. The SKILL.md does not warn about restricting target domains or internal addresses.
!
Install Mechanism
There is no formal install spec even though multiple code files are provided and SKILL.md asks to run setup.sh. The README claims 'No External Dependencies' but lib/alerter.py imports the third-party 'requests' package at module import time. The CLI imports alerter at startup, so running the tool will likely fail unless 'requests' is installed. setup.sh content is present but not shown in full — it may create the command in PATH; its actions should be reviewed before running.
Credentials
Telegram-related environment variables (NEX_PRICEWATCH_TELEGRAM_BOT_TOKEN, NEX_PRICEWATCH_TELEGRAM_CHAT_ID) are declared in SKILL.md and used in lib/config.py; they are optional (TELEGRAM_ENABLED defaults to False) and appropriate for the optional Telegram feature. However the top-level registry indicated 'Required env vars: none' which contradicts SKILL.md's metadata listing these variables (they are optional but present). No other unrelated credentials or paths are requested.
Persistence & Privilege
The skill stores data under the user's home directory (~/.nex-pricewatch) and uses an on-disk SQLite DB; it does not request 'always: true' or global agent privileges. setup.sh may create an executable entry for the CLI (per README); inspect setup.sh before running to confirm it only installs into user-local locations.
What to consider before installing
This package appears to implement the advertised price-monitoring functionality, but take these precautions before installing or running it: - Dependency: The code imports the third-party 'requests' library even though the README claims 'no external dependencies'. Install requests (pip install requests) or inspect setup.sh to see if it installs dependencies; running the CLI without requests may fail. - Review setup.sh: it likely creates the data directory and may add the command to your PATH. Open and read setup.sh to confirm it only performs the expected local setup and does not modify system-wide files. - Beware of SSRF/internal network access: the tool will fetch any URL you configure. Do not add internal/service URLs (localhost, 169.254.*, 10.* etc.) unless you understand the risk. Only monitor public competitor/supplier pages you are authorized to access. - Telegram tokens: if you enable Telegram alerts, the bot token and chat ID are necessary. Only provide those secrets if you trust the code and machine. The tokens are used only to call api.telegram.org in HTTPS requests. - Metadata mismatches: SKILL.md metadata (required env vars and homepage) and the registry header disagree — this looks like sloppy packaging rather than proven malicious intent, but you should verify the repository/source and the author before trusting it. If you want to proceed safely: inspect setup.sh and the full source files locally, install dependencies in a virtualenv, run the tool with test targets (public pages) first, and keep an eye on what files it creates under ~/.nex-pricewatch. If you cannot inspect the files or confirm the install script, treat it as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk9776wb8x3pe0rgf3wa0bj3f01848q3y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments