Back to skill
Skillv1.1.0
ClawScan security
Ecommerce Price Watcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 13, 2026, 7:28 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (monitoring product pages, extracting prices, storing a local watcher file and discovering URLs via DuckDuckGo); it requests no credentials and does not contact hidden endpoints or perform surprising system access.
- Guidance
- This skill appears to do what it says: it scrapes product pages, keeps a local JSON store (~/.openclaw/state/price-watcher/watchers.json), and can discover links via DuckDuckGo. Before installing or scheduling it: (1) don't add URLs that point to internal resources or pages requiring credentials (the script will fetch any HTTP/HTTPS URL you provide); (2) be aware it will make outbound requests to the sites you monitor and to html.duckduckgo.com for discovery; (3) review the local store file if you care about what data is being kept; (4) the script does not include built-in forwarding to Telegram/WhatsApp/Discord — forwarding must be implemented externally and you should avoid sending sensitive data to third-party services; (5) if you plan to run frequent checks, consider rate limits and site policies to avoid being blocked. If you want higher assurance, run the script in a restricted environment or inspect/modify the source before use.
Review Dimensions
- Purpose & Capability
- okName/description align with implementation: the script fetches product pages, extracts prices (JSON-LD, meta tags, regex), discovers candidate URLs via DuckDuckGo HTML search, and stores watches. The Trusted domains list and CLP examples are consistent with a Chile-focused price watcher.
- Instruction Scope
- noteSKILL.md instructs running the included script and scheduling checks. The runtime instructions and code only read/write a JSON store under the user's home (~/.openclaw/state/price-watcher/watchers.json) and make outbound HTTP(S) requests to user-supplied URLs and DuckDuckGo. Note: any URL you add (including internal or intranet addresses reachable from the host) will be fetched, so avoid adding sensitive endpoints or authenticated pages requiring credentials.
- Install Mechanism
- okNo install spec; this is instruction+script only. Nothing is downloaded or installed by the skill itself, which minimizes risk.
- Credentials
- okThe skill declares no environment variables, no credentials, and uses no external API keys. It does perform network requests to sites and DuckDuckGo as needed, which is proportional to its purpose.
- Persistence & Privilege
- okalways is false and the skill stores only its own watcher state under the user's home directory. It does not modify other skills or system-wide agent settings.