ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tariff

v1.0.0

International trade tariff reference — HS codes, duty rates, trade agreements, customs valuation, and tariff classification. Use when classifying goods for i...

0· 76·0 current·0 all-time
by@bytesagain1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (tariff reference, HS codes, duties, etc.) align with what is provided: a local script that prints reference material and examples. The skill does not request unrelated credentials, binaries, or config paths.
Instruction Scope
SKILL.md directs the agent to run scripts/script.sh for all commands. The visible portions of script.sh are documentation-style functions that print tariff guidance (no network calls or file writes shown). SKILL.md mentions an optional TARIFF_DIR (~/.tariff/) which could be used by the script — that is reasonable for optional local data but should be checked to ensure it doesn't read unexpected paths. The provided script content is truncated in the prompt; I cannot verify the tail end of the file.
Install Mechanism
No install spec is present (instruction-only usage with a bundled script). This is low-risk compared with downloading remote code or adding packages.
Credentials
The skill declares no required environment variables or credentials. SKILL.md documents an optional TARIFF_DIR defaulting to ~/.tariff/, which is proportionate for a local data directory, but users should confirm the script only uses that path as intended.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not declare system-wide configuration changes. Autonomous invocation is allowed by default but is not combined with broad privileges here.
What to consider before installing
This skill is largely coherent with its description: it runs a local shell script that appears to print tariff reference material and asks for no credentials. However, the script listing provided was truncated, so before installing or enabling autonomous use you should inspect the full scripts/script.sh file yourself (open it in a text editor) to confirm there are no network requests (curl/wget/ssh), no unexpected file reads/writes outside ~/.tariff, and no obfuscated/encoded code. If you don't want to inspect manually, run the skill in a restricted/sandboxed environment first. If you plan to point TARIFF_DIR at a custom path, avoid using sensitive directories (home root configs, SSH keys, cloud creds).

Like a lobster shell, security has layers — review code before you run it.

latestvk971d6gc5yjk3jj10z7zf5143583bnxp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments