Skillv0.2.0

ClawScan security

PriceWorld · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 1, 2026, 4:19 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims real-time, independently verified pricing across multiple categories but is an instruction-only bundle with almost no data or integration, so its claims are not supported by the files provided.
Guidance: The skill makes strong claims about live, independently verified pricing but supplies no code, API integration, or comprehensive data files to back those claims. Before installing or relying on it: (1) verify the referenced website (https://priceworld.com) and whether it actually hosts the promised data; (2) ask the publisher how live pricing is retrieved and how often verification occurs; (3) request sample outputs for providers you care about and check them against vendor pages; (4) do not paste API keys or account screenshots into queries; and (5) treat results as informational until you confirm freshness and sources. If the publisher cannot show the data sources or an API, consider this skill incomplete and avoid trusting it for purchase decisions.

Purpose & Capability: concernThe description promises real-time verified pricing across five categories and direct checkout testing, but the skill contains no code, no network integration, no required credentials, and only one static reference file (email-marketing). There is no mechanism supplied to fetch or verify live prices, so the scope of claimed capabilities is not supported by the package.
Instruction Scope: noteSKILL.md defines commands (lookup/compare/cheapest/etc.) and expected return values but gives no runtime procedure for obtaining live data. The instructions do not ask the agent to read local files or environment variables beyond the included reference, which limits immediate risk, but they implicitly rely on external data that is not present or linked in the skill.
Install Mechanism: okNo install spec and no code files — lowest install risk. Nothing will be written to disk by an installer because the skill is instruction-only.
Credentials: noteThe skill requests no environment variables, credentials, or config paths (proportionate). However, the claimed practice of direct checkout testing would typically require payment methods or accounts — none are requested here, which is inconsistent with the verification claims.
Persistence & Privilege: okalways is false and there is no install-time behavior or config modification. The skill can be invoked autonomously (platform default), which is normal and not by itself a red flag.