ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AgentDeals

v1.0.0

Search and compare 1,500+ developer infrastructure deals — free tiers, startup credits, and pricing changes across 54 categories.

0· 113·0 current·0 all-time
by@robhunter

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for robhunter/agentdeals.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "AgentDeals" (robhunter/agentdeals) from ClawHub.
Skill page: https://clawhub.ai/robhunter/agentdeals
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install agentdeals

ClawHub CLI

Package manager switcher

npx clawhub@latest install agentdeals
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (deal search, compare, track pricing changes) matches the included server code, data files, REST endpoints, and MCP tools (search_deals, plan_stack, compare_vendors, track_changes). The repo contains an HTTP/MCP server, OpenAPI, data/index.json and ingestion/monitoring scripts which are consistent with an aggregator service. Minor note: the registry lists "No install spec / instruction-only" while the package contains full source, package.json, and README instructions for npx/git releases — this is a documentation/packaging mismatch but not evidence of misbehavior.
Instruction Scope
SKILL.md asks the agent to connect to a remote MCP server (https://agentdeals.dev/mcp) or run the npm package locally (npx). The runtime instructions do not instruct reading unrelated local files, secrets, or scanning system state. Tools and parameters are narrowly scoped to searching/planning/comparison/tracking deals. The documentation does reference client config file locations (where to put .mcp.json) but does not require the skill to read other local configs or credentials.
Install Mechanism
No install spec is declared in the registry entry (instruction-only), yet the package includes package.json, package-lock.json, server code, and README guidance for installing via npx, GitHub releases, or platform-specific plugin installs. This is plausible (author offering hosted and local npx options) but you should verify the published npm package and release URLs before running npx or double-clicking an MCP package from an untrusted source. No suspicious remote install URLs or extract operations are present in the registry metadata.
Credentials
The skill declares no required environment variables and the SKILL.md says "No API key required." The codebase and docs mention optional env vars (PORT, BASE_URL, GOOGLE_SITE_VERIFICATION, telemetry/Upstash in changelog) for self-hosting, which is normal. No credentials or unrelated secrets are requested by the skill.
Persistence & Privilege
always:false and default agent invocation/autonomy are set (normal). The skill does not request system-wide config changes or access to other skills' configs. It's a remotely hosted service (or local npx binary) and does not ask for persistent elevated privileges in the registry metadata.
Assessment
AgentDeals appears coherent for its purpose, but before installing or pointing clients at the hosted endpoint consider: 1) If you are privacy-sensitive, understand that queries go to the remote host (agentdeals.dev) and could be logged — prefer running locally via `npx agentdeals` if you want control. 2) Verify the npm package and/or GitHub release publisher (owner identity) before running npx or double-clicking an .mcpb. 3) Review package.json scripts (if running local) to ensure no unexpected postinstall actions. 4) The skill does not request API keys or secrets, but avoid sending any sensitive data in queries to the remote server. 5) If you want stronger assurance, inspect the included source (server.ts, data files) locally and run the server in a sandbox before connecting your agent.
scripts/ingest-startup-deals.ts:65
Shell command execution detected (child_process).
scripts/parse-free-for-dev.ts:125
Shell command execution detected (child_process).
test/api-client.test.ts:12
Shell command execution detected (child_process).
test/audit-stack.test.ts:90
Shell command execution detected (child_process).
test/categories.test.ts:51
Shell command execution detected (child_process).
test/costs.test.ts:86
Shell command execution detected (child_process).
test/deal-changes.test.ts:65
Shell command execution detected (child_process).
test/error-handling.test.ts:64
Shell command execution detected (child_process).
test/expiring-deals.test.ts:72
Shell command execution detected (child_process).
test/head-requests.test.ts:15
Shell command execution detected (child_process).
test/http.test.ts:13
Shell command execution detected (child_process).
test/new-offers.test.ts:74
Shell command execution detected (child_process).
test/newest-deals.test.ts:72
Shell command execution detected (child_process).
test/query-log.test.ts:12
Shell command execution detected (child_process).
test/resources.test.ts:13
Shell command execution detected (child_process).
test/search.test.ts:14
Shell command execution detected (child_process).
test/server.test.ts:43
Shell command execution detected (child_process).
test/stacks.test.ts:97
Shell command execution detected (child_process).
test/vendor-risk.test.ts:95
Shell command execution detected (child_process).
test/weekly-digest.test.ts:91
Shell command execution detected (child_process).
src/api-client.ts:5
Environment variable access combined with network send.
src/serve.ts:17
Environment variable access combined with network send.
src/stats.ts:48
Environment variable access combined with network send.
test/audit-stack.test.ts:145
Environment variable access combined with network send.
test/costs.test.ts:149
Environment variable access combined with network send.
test/expiring-deals.test.ts:127
Environment variable access combined with network send.
test/head-requests.test.ts:17
Environment variable access combined with network send.
test/http.test.ts:15
Environment variable access combined with network send.
test/new-offers.test.ts:172
Environment variable access combined with network send.
test/newest-deals.test.ts:127
Environment variable access combined with network send.
test/query-log.test.ts:14
Environment variable access combined with network send.
test/stacks.test.ts:99
Environment variable access combined with network send.
test/telemetry.test.ts:102
Environment variable access combined with network send.
test/vendor-risk.test.ts:152
Environment variable access combined with network send.
test/weekly-digest.test.ts:93
Environment variable access combined with network send.
!
scripts/check-pricing-changes.js:3
File read combined with network send (possible exfiltration).
!
scripts/ingest-startup-deals.ts:3
File read combined with network send (possible exfiltration).
!
scripts/monitor-pricing.js:19
File read combined with network send (possible exfiltration).
!
scripts/parse-free-for-dev.ts:3
File read combined with network send (possible exfiltration).
!
scripts/reverify.js:15
File read combined with network send (possible exfiltration).
!
src/serve.ts:2
File read combined with network send (possible exfiltration).
!
src/stats.ts:6
File read combined with network send (possible exfiltration).
!
test/telemetry.test.ts:3
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

💰 Clawdis
latestvk975vnhatnk8yksdezdbs44jwx842cpn
113downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@robhunter
latest
Download

AgentDeals — Developer Infrastructure Deals for AI Agents

Search and compare free tiers, startup credits, and pricing changes across 1,500+ developer tools and services. 54 categories covering cloud, databases, CI/CD, monitoring, auth, AI/ML, and more.

When to Use

Use this skill when:

  • Evaluating technology options and want to know what's free
  • Planning a tech stack and need cost-optimized choices
  • Checking if a specific service has a free tier or startup credits
  • Comparing vendors side-by-side (e.g., Supabase vs Firebase, Vercel vs Netlify)
  • Tracking recent pricing changes (which free tiers were removed or degraded)

Setup

AgentDeals is a remote MCP server. Add to your MCP client config:

{
  "mcpServers": {
    "agentdeals": {
      "url": "https://agentdeals.dev/mcp"
    }
  }
}

No API key required. No environment variables needed.

Tools

search_deals

Find free tiers, startup credits, and developer deals. Filter by category, vendor, or keyword. Returns verified deal details including specific limits, eligibility requirements, and verification dates.

plan_stack

Plan a technology stack with cost-optimized infrastructure. Three modes: recommend (suggest services), estimate (cost analysis), audit (find savings and risks).

compare_vendors

Compare developer tools side by side — free tier limits, pricing tiers, stability ratings, and recent pricing changes. Pass 1 vendor for a risk check, or 2 for a full comparison.

track_changes

Track recent pricing changes across developer tools — removed free tiers, limit cuts, improvements, and upcoming expirations. Weekly digest format.

Comments

Loading comments...