Ecommerce Price Watcher
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a legitimate price watcher, but it makes outbound web/search requests and stores product-watch history locally.
This skill looks coherent for price monitoring. Before installing, be aware that `add-item` sends search queries to DuckDuckGo, checks fetch ecommerce pages over the network, and watcher history is saved locally under your home directory. Use trusted product URLs, prefer `--trusted-only` for discovery, and only configure cron or alert forwarding if you want it to keep running periodically.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If given an internal, private, or unrelated URL, the skill could make a request to that location and include parsed page information in its output.
The script can fetch any user-added HTTP/HTTPS URL, with timeout and size limits. This is central to price monitoring, but it is broad enough that users should only add intended ecommerce URLs.
if p.scheme not in {"http", "https"}: ... with urlopen(req, timeout=TIMEOUT) as r:Use trusted product URLs, prefer `--trusted-only` for query discovery, and avoid adding internal/private URLs.
Shopping queries may be disclosed to DuckDuckGo when using `add-item` mode.
Item-query mode sends the user's shopping query to DuckDuckGo for discovery. This is purpose-aligned, but the external provider is more explicit in code than in the SKILL.md description.
search_url = f"https://html.duckduckgo.com/html/?q={q}"Avoid sensitive queries and document the search provider clearly before use in privacy-sensitive environments.
Product URLs, item queries, and price history can remain on the device across sessions.
The skill persists watched URLs, queries, current prices, and price history in a local state file, which matches its stated purpose of keeping price history.
STORE_PATH = Path.home() / ".openclaw" / "state" / "price-watcher" / "watchers.json"
Remove watchers when no longer needed and protect or delete the local state file if the shopping history is sensitive.
If the user sets up cron, the watcher may continue making network checks and generating alerts until disabled.
The skill suggests scheduled recurring use, but the artifact shows this as user-configured operational guidance rather than automatic installation of a background process.
Run every 30–120 minutes via cron, then send each alert to Telegram/WhatsApp/Discord.
Only schedule it intentionally, review alert forwarding destinations, and disable the schedule when monitoring is no longer needed.
Users have less external provenance information for verifying the publisher or upstream project.
The package does not provide an upstream source or homepage. No risky install script or external dependency chain is shown, so this is a provenance note rather than a concern.
Source: unknown; Homepage: none
Review the included files and package version before installing, especially in managed or enterprise environments.