Coffee Prices by City
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears benign: it uses a local script and built-in reference tables, with a disclosed optional IP lookup if no city is supplied.
This skill is reasonable to install if you are comfortable with a simple local Python script and optional IP-based city inference. To avoid sharing IP-derived location with ipinfo.io, provide a city explicitly when using it. If reproducibility matters, pin the Python dependency version before installing.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A future dependency version could behave differently, although there is no artifact evidence of hidden or malicious installation behavior.
The skill asks users to install dependencies from requirements.txt, and this lower-bound dependency can resolve to different future versions. It is a common package and is purpose-aligned with the disclosed IP lookup.
requests>=2.31.0
For reproducibility, pin the dependency to an exact reviewed version if installing in a sensitive environment.
If the user omits the city, ipinfo.io may receive the user's IP address and return a coarse location used in the price table.
When no city is provided and no OPENCLAW_CITY environment variable is set, the script contacts ipinfo.io to infer the current city from the network IP address.
resp = requests.get("https://ipinfo.io/json", timeout=timeout)Specify the city explicitly, or set OPENCLAW_CITY, if you do not want the skill to perform the external IP-based location lookup.