ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Product Pricing Scraper

v1.0.0

Extract normalized product pricing data from retail or ecommerce pages using HTML parsing with retry, backoff, and safe defaults.

0· 55·0 current·0 all-time
by@terrycarter1985
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included code and selector config — the skill fetches pages and extracts pricing via JSON-LD, meta tags, and CSS selectors. However, the SKILL metadata only declares python3 as a required binary while the code depends on third-party Python packages (requests, bs4) that are not declared or provided; that's a packaging inconsistency.
Instruction Scope
SKILL.md instructs the agent/user to provide URLs and run the included CLI; instructions and knobs (--config, --delay, --timeout) are scoped to scraping. The runtime instructions do not direct reading unrelated files, accessing environment secrets, or sending data to unexpected external endpoints.
Install Mechanism
There is no install spec (instruction-only) which minimizes automatic disk writes. The code will still require Python packages (requests, beautifulsoup4) to be installed manually; absence of an install step or dependency list is a usability and reproducibility gap but not an immediate security red flag.
Credentials
The skill does not request environment variables, credentials, or config paths. It performs network requests only to user-supplied target URLs and does not contact hidden external services. This is proportionate to its stated purpose.
Persistence & Privilege
always is false and the skill does not request persistent system-wide changes. It does not modify other skill configs or request elevated privileges.
What to consider before installing
This skill largely matches its stated purpose and does not request secrets, but review and fix before use: 1) It relies on third-party Python libraries (requests, beautifulsoup4) which are not declared—install them in a controlled environment. 2) The provided scraper.py contains at least one clear bug (it attempts to return an undefined variable near the end) and should be tested and patched before production use. 3) Run it in a sandbox or isolated environment and verify behavior on a small set of non-sensitive pages. 4) Respect target sites' robots/tos and avoid aggressive scraping — the tool includes retry/backoff defaults but you should tune delays. If you expect to run this automatically, add an explicit dependency/install step and fix the code issues; if you lack the ability to audit and patch the script, treat it as untrusted code.

Like a lobster shell, security has layers — review code before you run it.

latestvk9780tav187c3st2s4n55276xh84es1n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

Comments