ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Slickdeals

v1.1.0

Search Slickdeals.net for deals, coupons, and promo codes. Use when the user asks for deals, discounts, price comparisons, or to find cheap games, electronic...

0· 76·0 current·0 all-time
by@ricanwarfare
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to search Slickdeals and verify/parse active deals (title, price, discount, store, score, comments, coupon codes). The included Python file contains a parser and a Deal dataclass but the search_deals() implementation actually returns unstructured strings extracted with very simple regex/line scanning and does not perform per-deal page verification or extraction of the structured fields described in SKILL.md. This mismatch means the implementation does not meet the stated purpose.
Instruction Scope
SKILL.md instructs the agent to fetch search results and then fetch each individual deal page to confirm active status, read comments for coupon codes, and avoid expired deals. Those instructions are within the skill's stated purpose and do not request unrelated system files or secrets. However, the text mandates using an external runtime function (ollama_web_fetch) and strict verification steps; the shipped code does not implement these verification steps, so the runtime behavior may not follow the documented safety/accuracy rules.
Install Mechanism
No install spec is present and the skill is instruction-only with one included Python file. Nothing is downloaded from external URLs or installed automatically, which is low-risk from an install mechanism perspective.
Credentials
The skill declares no required environment variables, credentials, or config paths, and the code does not access any system secrets or environment variables. Requested privileges are proportional to the stated purpose.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It is user-invocable and allows autonomous invocation by default (platform normal). There is no evidence it modifies other skills or system-wide settings.
What to consider before installing
This skill's documentation demands careful per-deal verification and extraction of specific fields, but the bundled code does not implement those checks and returns unstructured strings instead. Before installing or relying on it: (1) ask the publisher to reconcile SKILL.md and code — specifically implement per-deal page fetches, expiration checks, and extraction of title/price/discount/store/score/coupons; (2) test results on representative queries to confirm it excludes expired deals and extracts coupon codes correctly; (3) if you plan to run the included Python code, review network endpoints it calls and run it in a sandboxed environment; and (4) prefer a skill where the implementation matches the verification guarantees claimed in the documentation.

Like a lobster shell, security has layers — review code before you run it.

dealsvk978a6cgktd040dnjnptn1n4rd848ctylatestvk9796xnd09pb7cv7kc1t1ryxt984cfzpshoppingvk978a6cgktd040dnjnptn1n4rd848cty

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments