ClawHub
Back to skill
v1.0.0

Price Alert Monitor

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:21 AM.

Analysis

This is a simple user-invoked price-monitoring script with no artifact-backed malicious behavior, but it stores shopping data locally and its notification documentation appears stronger than the included code supports.

GuidanceThis appears safe to use as a local Python helper if you are comfortable with it saving product-monitoring data in your home directory. Do not rely on email or webhook notifications until you test or implement them, because the included script appears to only print alerts.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
支持:
- 打印到终端
- 发送邮件(需要配置 SMTP)
- 发送到 Webhook

export PRICE_WEBHOOK="your-webhook-url"

The documentation advertises SMTP/Webhook notification support, but the included script only prints target-hit messages and contains no SMTP or PRICE_WEBHOOK handling. This is a functionality/trust note, not evidence of hidden outbound transmission.

User impactYou may think it will send real alerts, but the bundled implementation may only print messages, so important price alerts could be missed.
RecommendationVerify notification behavior before relying on it, and only configure a webhook if you confirm the code actually uses it as intended.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
scripts/price_monitor.py
DATA_FILE = os.path.expanduser("~/.price-monitor.json") ... "url": url ... "target_price": args.target or 0

The script persistently stores monitored product URLs and target prices in a home-directory JSON file.

User impactAnyone with access to that local file could see what products you are monitoring and your target prices.
RecommendationUse it only on trusted machines, avoid adding sensitive/private URLs, and delete ~/.price-monitor.json if you want to remove the saved monitoring history.