ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ecommerce-price

v1.0.0

Monitor and compare product prices across major marketplaces in real time to detect drops, promotions, stock changes, and get AI-driven repricing recommendat...

0· 27·0 current·0 all-time
by@nicemaths123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to monitor prices across marketplaces and its instructions use Apify actors and apify-client — that matches the description. However, the registry metadata lists no required environment variables or credentials while the instructions explicitly require an APIFY_TOKEN and npm packages (apify-client, axios). The missing declarations are an inconsistency.
Instruction Scope
SKILL.md provides concrete code examples that call Apify actors, fetch datasets, and export data or send webhooks — all within the advertised scope. There are no instructions to read unrelated system files or harvest unrelated credentials. The instructions do tell the user to export APIFY_TOKEN and to run npm install, and they include vague features (scheduling, webhooks) without concrete safety/permission guidance, which could be clarified.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code. That is lower risk. The SKILL.md suggests running 'npm install apify-client axios' locally; that is typical for the described JavaScript examples and is not performed automatically by the platform.
!
Credentials
The runtime instructions require an APIFY_TOKEN (Personal API Token) and implicitly rely on an Apify account/billing, but the skill metadata does not declare any required env vars or a primary credential. That mismatch (unreported credential requirement) reduces transparency and is a security/operational concern. No other unrelated secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request system paths or persistent privileges. It does not attempt to modify other skills or global agent config according to the provided files.
What to consider before installing
This skill appears to do what it says (using Apify to scrape prices) but the package registry metadata left out the APIFY_TOKEN requirement and the documentation asks you to run npm install locally. Before installing or using it: 1) Verify with the publisher why the registry shows no required env vars while SKILL.md requires APIFY_TOKEN. 2) Only provide an Apify Personal API Token if you trust the skill and understand what data will be scraped and where results/webhooks will be sent. 3) Be cautious about scheduling automated runs or webhooks to external endpoints—review what data will be exported. If you need higher assurance, ask the author to publish correct metadata (declaring APIFY_TOKEN) and to clarify webhook endpoints and scheduling behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ft1081stvcesa0ses7aj51h8444q3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments