Back to skill
Skillv1.0.1
ClawScan security
Skill Price · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 30, 2026, 7:24 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's description and runtime instructions broadly match a price‑monitoring tool, but there are inconsistent metadata declarations about required credentials/binaries and vague guidance around alert delivery that warrant caution before use.
- Guidance
- This skill appears to do what it says (price monitoring and alerts), but clarify a few things before installing: 1) Confirm which environment variables you must provide — SKILL.md and clawhub.yaml list TRADEGPT_API_KEY and python3, while the registry summary lists none; understand which is authoritative. 2) Ask the publisher how email/WhatsApp alerts are delivered and whether additional credentials or third‑party services are required. 3) Limit the API key's scope and rotate it if possible; never provide broad credentials (AWS/GitHub/etc.) unrelated to price data. 4) Verify the vendor endpoints (api.yunlvai.com and data.yunlvai.com) and their privacy/billing terms, and confirm legality of scraping target sites in your jurisdictions. 5) If you want to be cautious, run initial tests with a scoped test API key in an isolated environment and request the publisher's implementation details (how data is fetched and where reports/alerts are sent) to resolve the metadata inconsistencies.
- Findings
[no_scan_findings] expected: The static regex scanner found nothing because the package contains no executable code — SKILL.md is instruction‑only. This means static results are not informative about runtime network calls or credential use.
Review Dimensions
- Purpose & Capability
- okThe skill claims to monitor competitor pricing, aggregate B2B/customs data, analyze trends, and send alerts — and the SKILL.md describes exactly those actions and relevant data sources (B2B platforms, customs data, competitor sites). Requesting an API key for the vendor's TradeGPT API is coherent for this purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to aggregate and clean multi‑source pricing data and generate reports/alerts. It does not instruct reading arbitrary local files or unrelated environment variables. However, alert delivery (email/WhatsApp) is described but no credentials/transport details are declared — this is vague and could imply additional setup or credential needs not listed.
- Install Mechanism
- okNo install spec and no code files — this is an instruction‑only skill, so nothing is downloaded or written by an installer. That minimizes install risk.
- Credentials
- concernThere is an inconsistency: the top-level registry summary lists no required env vars or binaries, but SKILL.md and clawhub.yaml declare a primaryEnv (TRADEGPT_API_KEY) and require python3. Requiring TRADEGPT_API_KEY is reasonable for calling the vendor API, but the python3 binary requirement is unexpected for an instruction‑only skill with no code. Also the clawhub metadata references a '海关价格数据' API that mentions a Bearer token but does not declare a corresponding env var. This mismatch should be clarified before trusting secrets.
- Persistence & Privilege
- okalways is false and the skill is user‑invocable. There is no installation that requests persistent presence or modifies other skills or global configs. Autonomous invocation is allowed by default but is not combined with other high privileges here.