Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
PriceClaw
v1.0.0Query and contribute to PriceClaw, a crowdsourced price database. Search prices, submit new price data, and vote on existing entries.
⭐ 0· 6·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (searching/submitting prices) matches the API calls and flows described in SKILL.md. However, registry metadata claims no required env vars while SKILL.md includes an env entry for PRICECLAW_API_KEY and documents write operations that require that key — this metadata mismatch is inconsistent and worth fixing.
Instruction Scope
SKILL.md instructs the agent to perform OAuth flows, poll an auth endpoint, accept provider access tokens, and persist the returned API key into the user's OpenClaw environment (e.g. ~/.openclaw/.env or openclaw.json). Those actions involve reading/writing user configuration and handling sensitive credentials. While relevant to the skill's purpose (obtaining/storing a write-capable API key), they expand scope beyond simple read-only queries and require careful user consent and secure handling.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written by an installer. That lowers the code-execution/install risk surface.
Credentials
The runtime instructions expect a PRICECLAW_API_KEY and also describe accepting provider access tokens (GitHub/Google/Discord) to obtain that key. Those are appropriate for registration, but the registry metadata does not declare PRICECLAW_API_KEY as required — an inconsistency. Also, persisting the API key to plaintext env files (as suggested) is potentially sensitive and should be made explicit to the user.
Persistence & Privilege
The skill does not request always: true and is user-invocable — normal. However, it explicitly instructs writing the returned API key into the user's OpenClaw config (~/.openclaw/.env or openclaw.json). Writing persistent credentials to user files is a meaningful privilege; the skill claims to ask for user confirmation before writing but the instructions do request filesystem access and persistent storage.
What to consider before installing
This skill appears to implement the PriceClaw API and needs a PRICECLAW_API_KEY to perform write operations. Before installing: 1) Verify the skill's source (no homepage or repo is provided). 2) Expect the agent to prompt you to open an OAuth URL in your browser and to poll the service until an api_key is returned. 3) The skill may ask to store the API key in plain-text env files (e.g. ~/.openclaw/.env or in openclaw.json); confirm consent and consider whether you want secrets stored that way. 4) Be careful about pasting provider access tokens (GitHub/Google/Discord)—these are powerful credentials; prefer the OAuth browser flow if available. 5) Ask the publisher to correct the registry metadata (declare PRICECLAW_API_KEY) and to document how/where keys are stored and whether they are encrypted. If you cannot verify the skill's origin or are uncomfortable with storing tokens on disk, do not install.Like a lobster shell, security has layers — review code before you run it.
latestvk975am8pj8bm4rth9n8jz5gx3s84cxxb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Environment variables
PRICECLAW_API_KEYrequired