ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PriceClaw

v1.0.1

Query and contribute to PriceClaw, a crowdsourced price database. Search prices, submit new price data, and vote on existing entries.

0· 22·0 current·0 all-time
by@roundtoo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a PriceClaw search/submit/vote client and only needs a PriceClaw API key — that is coherent with the stated purpose. However, registry metadata lists no required env vars and no homepage/source while SKILL.md declares PRICECLAW_API_KEY and references https://priceclaw.io, creating an inconsistency between declared requirements and the runtime instructions.
Instruction Scope
Runtime instructions are explicit: start a browser OAuth flow, poll /v1/auth/poll, and (with user permission) persist the returned API key to the user's OpenClaw env config (~/.openclaw/.env or openclaw.json). The instructions also allow an alternate direct registration using a user-provided provider access token (e.g., a GitHub PAT) if the user initiates. These operations are within the skill's domain but involve sensitive actions (opening a browser flow, polling, and writing an API key to disk) that require clear user consent.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing is written to disk by an installer; any writes come from the agent following the SKILL.md instructions and (per the doc) only after user confirmation.
Credentials
Only a single service credential (PRICECLAW_API_KEY) is required for write operations, which is proportionate. That said, registry metadata not listing required env vars while SKILL.md does is a mismatch. The alternative flow asking the user to paste a provider access token (PAT) is potentially sensitive but described as optional and user-initiated — verify the agent does not prompt for or store unrelated secrets.
Persistence & Privilege
The skill does not request always:true or system-wide privileges. It instructs the agent to persist the PriceClaw API key to the user's OpenClaw config only after asking for permission. It does not claim to modify other skills or system configs.
What to consider before installing
This skill appears to implement a legitimate PriceClaw client, but note the registry metadata omits the PRICECLAW_API_KEY declared in SKILL.md and the registry lists no homepage/source while the skill points to priceclaw.io — that's an inconsistency you should verify. Before installing or using: (1) confirm the PriceClaw site and API docs are legitimate; (2) be prepared to explicitly approve any browser OAuth flow and any filesystem write; (3) never paste provider personal access tokens unless you initiated that action and understand the token's scope; and (4) prefer the browser OAuth flow over handing a PAT. If you need higher assurance, ask the publisher for a source repository or a signed package and insist the skill's registry metadata be updated to match SKILL.md.

Like a lobster shell, security has layers — review code before you run it.

latestvk974wxc0s59dj9rbfbzr67bbmn84c47k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
PRICECLAW_API_KEYrequired

Comments