Shopping Expert
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears coherent for product search, with the main things to notice being its use of external shopping/location APIs, API keys, and Python dependencies.
This skill looks safe to review as a shopping/search helper, not a purchasing agent. Before installing, make sure you are comfortable providing SerpAPI and Google Places API keys, sending search and location details to those providers, and using uv to run the Python script with its declared dependencies.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill may consume API quota or incur provider-side usage tied to the user's API keys.
The script uses provider API keys from environment variables for SerpAPI and Google Places, which is expected for this integration but gives the skill access to those services under the user's quota or billing account.
SERPAPI_KEY = os.environ.get("SERPAPI_API_KEY")
PLACES_API_KEY = os.environ.get("GOOGLE_PLACES_API_KEY")Use scoped provider API keys where possible, monitor quota/billing, and avoid sharing keys in prompts or logs.
Search terms, preferences, country, and local location strings may be transmitted to third-party APIs.
The script sends search parameters to SerpAPI and Google Places. This is consistent with the stated purpose, but product searches and local location queries are shared with external providers.
SERP_BASE_URL = "https://serpapi.com/search" PLACES_BASE_URL = "https://places.googleapis.com/v1" ... response = requests.get(SERP_BASE_URL, params=params, timeout=30) ... response = requests.post(url, json=body, headers=headers, timeout=30)
Do not use highly sensitive addresses or private purchasing details unless you are comfortable sending them to the configured providers.
Dependency versions may vary over time depending on the package resolver and available packages.
The uv-run script declares runtime Python dependencies using lower-bound version constraints. This is common and purpose-aligned, but it relies on package resolution from the Python package ecosystem rather than fully pinned versions.
# dependencies = [ # "requests>=2.31.0", # "urllib3>=2.0.0", # ]
Install in a normal isolated environment and, for stricter reproducibility, pin or lock dependencies before deploying in sensitive environments.