Back to skill
Skillv1.0.7
ClawScan security
Best Product · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 28, 2026, 4:43 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, required resources, and behavior are coherent with a product-recommendation tool: it uses public review sources and a local 6-hour cache, requests no credentials, and has no installable code.
- Guidance
- This skill is internally consistent and doesn't request secrets or install code. Before installing: (1) accept that it will write cached results to ~/.openclaw/cache/best-products/ (you can delete the folder anytime); (2) note the default region is NL (you can override per query); (3) the skill enforces a price-order rule that may reorder or drop picks to maintain Budget ≤ Best Value ≤ Top Pick; (4) future versions may add scheduled checks or external APIs (Keepa, Coolblue) which could require credentials — review later versions for added env vars or background jobs. If any of these behaviors are unacceptable, do not install or inspect the SKILL.md/README again when updating.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the skill aggregates review sources, price comparisons, and retailer availability across regions. It does not request unrelated credentials, binaries, or config paths.
- Instruction Scope
- noteThe SKILL.md confines activity to web searches (Brave Search via the platform's web_search/web_fetch), filtering by region, producing three categorized picks, and caching results locally. It explicitly instructs the agent to read the system date and write cache files to ~/.openclaw/cache/best-products/. This file I/O is within the stated purpose but is a persistent artifact the user should be aware of. The skill also enforces a price-ordering rule (Budget ≤ Best Value ≤ Top Pick), which is a functional choice rather than a security issue but can affect recommendations.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. This is low risk because nothing is downloaded or written by an installer. Runtime behavior is limited to platform-provided web_search/web_fetch and writing a local cache.
- Credentials
- okNo required environment variables, credentials, or privileged config paths are declared. The SKILL.md and README explicitly state it uses the platform's web_search/web_fetch and requires no API keys. Planned enhancements (e.g., Coolblue API, Keepa, scheduled price alerts) could later require credentials, but they are not in this release.
- Persistence & Privilege
- notealways:false (normal). The skill writes cache files to the user's home (~/.openclaw/cache/best-products/) for 6 hours — a modest, declared persistence. Future planned features mention alerts stored in ~/.openclaw/cache/alerts.json and a daily cron; those would increase persistence/privilege if implemented, but are not present now.