Skillv1.0.0

ClawScan security

Price Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 8, 2026, 5:08 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (monitor public pricing across websites) matches its instructions and footprint — it's an instruction-only scraper/monitoring recipe with no unexpected credential or install demands.
Guidance: This skill is an instruction-only recipe for scraping and reporting public pricing pages and appears internally consistent. Before installing: 1) Confirm your agent runtime has network access and a scraping tool (or plan to provide one); the skill itself doesn't install anything. 2) Be aware of legal/terms-of-service and robots.txt considerations when scraping competitor sites and when using archived pages (Wayback Machine). 3) Missing referenced docs (references/...) mean some setup advice is absent — ask the publisher for those or supply your own monitoring setup. 4) If target sites require authentication, APIs, or anti-bot workarounds, you'll need to supply credentials or infrastructure; the skill does not request them. 5) Test on a small, non-production set of URLs first and monitor rate limits and data handling to avoid accidental leakage or blocking.

Review Dimensions

Purpose & Capability: noteName/description (price monitoring, alerts, historical analysis) align with the SKILL.md instructions. The skill implicitly requires network/web-scraping capability (fetching competitor pages and Wayback Machine archives) but does not declare any binaries or credentials — this is coherent for public-site monitoring, though sites that block scraping or require APIs/CAPTCHAs will need separate tooling not provided here.
Instruction Scope: noteThe runtime instructions are scoped to collecting and reporting pricing changes from competitor URLs and historical archives. They do not instruct reading local secrets or unrelated system files. Minor inconsistency: SKILL.md references local files under references/ (e.g., references/monitoring-setup.md) that are not included in the bundle; also there are no instructions about respecting robots.txt, rate-limiting, or handling anti-bot defenses.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This is the lowest install risk: nothing will be written to disk by the skill itself.
Credentials: noteThe skill declares no required environment variables or credentials, which is proportionate for public web monitoring. Be aware that some target sites or archival APIs might require API keys or proxies in practice; the SKILL.md does not request them nor show how to supply them.
Persistence & Privilege: okalways:false and user-invocable:true (defaults) — no elevated persistence requested. The skill does not claim to modify other skills or system-wide configs.