ClawHub
Back to skill
v0.1.1

Geizhals.at

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:49 AM.

Analysis

This appears to be a benign Geizhals price-checking skill, with expected outbound web requests and optional short-lived local caching.

GuidanceThis skill does not request credentials or broad local access. Before installing, be aware that it will contact Geizhals.at for searches, relies on unofficial page parsing, and can optionally write fetched pages to a local cache; use small limits and a dedicated cache directory if you enable caching.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The skill has limited provenance metadata, although the provided artifacts do not show a remote installer, hidden dependency, or malicious supply-chain behavior.

User impactUsers have less external provenance information to rely on when deciding whether to trust the skill.
RecommendationReview the included files before use and prefer a version with a public source or homepage if provenance is important.
Tool Misuse and Exploitation
SeverityLowConfidenceMediumStatusNote
scripts/geizhals.py
if first.startswith("http"):
            return first

Detail-page URLs come from the Geizhals autocomplete response and absolute URLs are accepted without visible host validation before being fetched.

User impactIn normal use this supports Geizhals lookups, but if an upstream response contained an unexpected absolute URL, the script could make an outbound request outside Geizhals.
RecommendationKeep use limited to intended searches; a hardening improvement would be to validate that fetched detail URLs remain on geizhals.at.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
scripts/geizhals.py
CACHE_TTL_SECONDS = 900
...
_cache_path(cache_dir, url).write_text(body, encoding="utf-8")

When a cache directory is supplied, fetched HTML is stored locally and reused briefly, which is expected for caching but creates persistent local state.

User impactCached Geizhals page content may remain on disk for a short time and could affect repeated results if the cache directory is shared or modified.
RecommendationUse a dedicated temporary cache directory if enabling caching, or omit --cache-dir when persistence is not needed.