Back to skill
Skillv1.0.0
ClawScan security
Price Hunter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 4:32 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and absence of installs/credentials are consistent with a price-comparison tool that scrapes public webpages and search results.
- Guidance
- This skill is internally consistent, but be aware of practical and policy considerations before installing: it scrapes public product pages and search results — this can trigger anti-scraping blocks, return incomplete data for pages behind login, or run afoul of some sites' terms of service. The skill does not request credentials, but it will make many outgoing requests (the agent's network/IP will be used). If you need reliable or high-volume data, prefer official APIs from merchants or aggregator partners and consider rate limits, localization (currency, region, language), and verifying final prices before purchasing. If you want to restrict network access or audit requests, do that at the agent/platform level. If anything in the SKILL.md seems unclear (for example how it handles paginated results, currency rounding, or shipping estimate sources), ask the author for clarification before use.
Review Dimensions
- Purpose & Capability
- okName and description claim cross-platform price comparison; SKILL.md instructs web search and page fetching to extract prices, sellers, ratings, shipping, and links — all coherent and expected for this purpose. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteInstructions are focused on searching and extracting price data from public pages and search results. They explicitly handle platform-specific limitations (e.g., Pinduoduo link restrictions, Taobao/Tmall login walls). Note: following pages that require login or verifying link accessibility may fail or return partial data; the instructions do not ask for any local file or secret access.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest risk install surface. Nothing is written to disk by the skill itself.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The required external access (web searches and fetches) matches the stated functionality.
- Persistence & Privilege
- okDoes not request always: true or any elevated persistent privileges. Default autonomous invocation is allowed by platform but is not excessive for this type of skill.