Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill description promises product information, price queries, and computer upgrade suggestions, but the SKILL.md only contains a static brand overview (brand story, product matrix, global footprint, industry observation). There are no instructions or requirements for retrieving prices, accessing vendor data, or performing upgrade analysis — a clear mismatch between stated purpose and actual content.
Instruction Scope
SKILL.md is limited and safe in that it does not instruct reading files, contacting external endpoints, or accessing credentials. However it is vague and incomplete for the advertised functionality: it provides triggers (read_when) and a content outline but no operational steps for price lookup or upgrade recommendation, which may lead the agent to improvise or call other tools without guidance.
Install Mechanism
No install spec and no code files — instruction-only skill. This is low-risk from an installation/execution viewpoint (nothing is written to disk or downloaded).
Credentials
The skill declares no required environment variables, no credentials, and no config paths. There is no apparent request for sensitive data; the lack of required secrets is proportionate to the actual (limited) instructions present.
Persistence & Privilege
always is false, no special privileges requested, and the skill does not appear to modify other skills or system configuration. Autonomous invocation is allowed by default but not combined here with other concerning privileges.
What to consider before installing
This skill appears harmless in that it has no install steps or credential requests, but it does not actually implement the price-querying or upgrade-advice functionality promised in its description. Before installing or relying on it: 1) Ask the publisher how prices and upgrade recommendations are obtained (data sources, APIs, frequency). 2) If you need real-time prices or actionable upgrade advice, require the skill to declare which APIs it will call and any required credentials. 3) Test the skill in a limited context and verify outputs against trusted sources. 4) If you expect the agent to fetch external data, prefer skills that explicitly document their data sources and required permissions.Like a lobster shell, security has layers — review code before you run it.
latestvk979r46h9xq2ff2rzht1002nax84w9rv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.