Back to skill
Skillv1.0.0
ClawScan security
Coffee Prices by City · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 12:15 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (producing city-level reference coffee prices); it makes an optional external IP lookup and requires the requests package but otherwise asks for no credentials or broad system access.
- Guidance
- This skill appears to be what it says: a local Python script that returns city-level reference prices. Before running: (1) review the BASE_PRICES and CITY_TIERS in scripts/coffee_prices.py if you need different values; (2) be aware the script may call https://ipinfo.io/json to auto-detect city when no --city or OPENCLAW_CITY is provided (network access required); (3) installing dependencies will pull the requests package from PyPI—run installs in a virtualenv or sandbox if you prefer; (4) the OPENCLAW_CITY env var is optional (not listed as required), so set it if you want deterministic behavior without external network calls.
Review Dimensions
- Purpose & Capability
- okName/description align with included code and SKILL.md. The script computes reference prices from embedded BASE_PRICES and CITY_TIERS and formats output as markdown/json/csv as advertised. Use of the requests library and an optional IP geolocation lookup is coherent with the advertised 'auto-detect city' feature.
- Instruction Scope
- noteSKILL.md and the CLI instruct the agent to optionally infer city from IP via https://ipinfo.io/json and to read an optional environment variable OPENCLAW_CITY. The instructions do not access unrelated system files or credentials. Note: OPENCLAW_CITY is used if present but not declared as a required env var (it's optional).
- Install Mechanism
- noteNo registry install spec; this is effectively an instruction-only skill with provided Python scripts and a requirements.txt listing requests>=2.31.0. Installing dependencies via pip will fetch from PyPI (expected). No downloads from untrusted URLs or archives are present.
- Credentials
- noteThe skill does not require credentials or secret environment variables. It does optionally read OPENCLAW_CITY and performs an outbound HTTPS request for IP-based geolocation. The optional env var is reasonable for the feature, but the registry metadata lists no environment variables while the runtime supports one optional variable.
- Persistence & Privilege
- okNo elevated persistence requested (always:false). The skill does not modify other skills or system settings and has no install-time hooks in the registry metadata.