ClawHub

Dtcpriest

v1.2.0

DTCPriest - Competitor price monitoring for DTC brands. Visit https://dtcpriest-vercel.vercel.app to subscribe, then run 'dtcpriest connect' and paste your a...

0· 28·0 current·0 all-time
by@shepherd217
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (competitor price monitoring) align with what the skill requests: a single primary credential DTCPRIEST_KEY and CLI commands to connect/check. No unrelated env vars, binaries, or surprising privileges are requested.
Instruction Scope
SKILL.md instructs the user to subscribe on the vendor site, run 'clawhub install dtcpriest' and 'dtcpriest connect' (paste access key), then run checks. The instructions do not request reading unrelated files or system secrets, but they do send product queries and your access key to the vendor's infrastructure as part of normal operation—so data you check will be transmitted externally.
Install Mechanism
There is no embedded install script or external download URL in the package (instruction-only). The SKILL.md references the platform installer (clawhub), which is expected. Included code is a tiny __init__.py with no behavior—no risky install artifacts were found.
Credentials
Only a single primary credential (DTCPRIEST_KEY) is declared, which is proportionate to a hosted monitoring service that requires an API key. No other secrets, keys, or unrelated environment variables are requested.
Persistence & Privilege
always is false and there are no config paths or system-level modifications requested. The skill can be invoked autonomously by the agent (disable-model-invocation=false), which is the platform default; combined with the external service this increases blast radius but is not itself inconsistent with the skill's purpose.
Assessment
This skill appears to do what it says: it uses a single access key to query the vendor's hosted monitoring service. Before installing or pasting your key: (1) verify the vendor/site (https://dtcpriest-vercel.vercel.app) is legitimate and uses HTTPS, (2) review the vendor's privacy and billing terms since product queries and results will be sent to their servers, (3) avoid using any sensitive credentials or private product data with the skill, and (4) if you need lower risk, prefer a skill that runs monitoring from your own infrastructure or that has open-source client code you can audit. If you want higher assurance, ask the publisher for source code or a reproducible install manifest and confirm how the key is stored and transmitted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f9xnfj3en3gn9b4jgj3vb9d84s4nf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Primary envDTCPRIEST_KEY

Comments