Skillv1.0.0

ClawScan security

Discord Shopping Deals · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 23, 2026, 2:11 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested resources and runtime instructions are coherent with its stated purpose (web searches and fetching public pages to find deals) and do not ask for unrelated credentials or installs.
Guidance: This skill appears to do what it says: run public web searches, visit vendor pages, and post a short Discord-formatted summary. Before enabling it, consider: (1) it will fetch arbitrary public web pages to extract prices/coupons — this can be noisy and may trigger rate limits or vendor anti-scraping measures; (2) it assumes the agent has permission to post/react in Discord channels — review which Discord token/connector the agent will use and restrict its scope to test channels first; (3) coupon accuracy and link safety depend on scraping third-party sites — treat results as informational, not authoritative; (4) there is no author/homepage provided, so if provenance matters ask the publisher for contact or source code. If you want stricter controls, test in a private channel, monitor activity, and consider disabling autonomous invocation or limiting the skill to user-invoked only.

Purpose & Capability: okName/description (find shopping deals via Discord) match the instructions: perform web_search queries, aggregate results, use web_fetch for confirmation, and post Discord-formatted replies. It does not request unrelated creds, binaries, or installs.
Instruction Scope: noteSKILL.md confines actions to web_search and web_fetch and Discord replies. It instructs scraping/confirming vendor pages and coupon lookups, which is expected, but these actions will fetch arbitrary public web pages — a normal but broadly scoped network capability. The doc assumes the platform supplies Discord messaging capability (it does not declare Discord credentials), which is typical but worth noting.
Install Mechanism: okInstruction-only skill with no install steps or downloads. Nothing is written to disk or fetched as code during install.
Credentials: okNo environment variables, credentials, or config paths are requested. The lack of declared Discord credentials is consistent with a platform-handled connector; no disproportionate secrets are asked for.
Persistence & Privilege: okalways:false and normal invocation semantics. The skill does not request persistent system-wide changes or other skills' configs.