Skillv0.6.4

ClawScan security

price-check · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 26, 2026, 7:16 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and optional integrations are consistent with a price‑comparison tool that queries a third‑party price API and stores local history; nothing in the package looks like deliberate misdirection or unrelated credential exfiltration, but there are a few engineering inconsistencies and opt‑in features you should be aware of before enabling them.
Guidance: This package appears to be what it says: a price‑comparison script that queries maishou88.com and keeps local history. Before installing/using: 1) Ensure your OpenClaw environment provides the Python dependency aiohttp (the script will fail otherwise). 2) Understand that all queries are written to ~/.openclaw/data/price-check/price-check.db (local storage) and config.json may store your Feishu token if you enable syncing — do not commit that file. 3) Feishu sync is opt‑in: only enable it if you trust the destination and you are comfortable storing/providing the base_token; enabling it runs lark-cli (a subprocess) which will execute a local binary. 4) The skill uses a default maishou API OPENID/invite code; if you have concerns about third‑party API usage, review or replace the data layer. 5) Note the SKILL.md rule that the agent must forward the generated human_report verbatim — be mindful if reports could contain sensitive text or links. If you want higher assurance, ask the author to declare Python package dependencies in the skill metadata and to document exactly what the default OPENID/invite code implies.

Review Dimensions

Purpose & Capability: noteThe name/description (multi‑platform price comparison + local history + optional Feishu sync) align with what the code does: it calls a maishou88.com API client, filters results, writes to a local SQLite DB, and can optionally sync to Feishu. Minor mismatch: the script needs the Python package 'aiohttp' (declared in a file header comment) but the skill metadata only lists required binaries (python3, uv) and does not declare Python package dependencies — this is an engineering omission that can cause runtime failures but does not indicate malicious intent.
Instruction Scope: okSKILL.md instructs agents to run the included Python script and to render the produced human_report verbatim. The runtime actions in code are within the stated scope: network calls to maishou88.com for price data, local writes to ~/.openclaw/data/price-check/*. No instructions ask the agent to read arbitrary system files or unrelated environment variables. The requirement that agents forward human_report verbatim is a strict formatting rule but not a security red flag by itself.
Install Mechanism: noteThere is no external download/install spec (the code is bundled in the skill), which is low risk. However, runtime dependency management is inconsistent: bin/price_check.py declares dependencies=['aiohttp'] in a header comment but the OpenClaw metadata only lists required binaries (python3, uv). If your agent environment doesn't already provide aiohttp, the script will fail. No suspicious or arbitrary external installers/URLs are used.
Credentials: okThe skill does not request broad or unrelated environment variables. It uses an internal OPENID constant and reads an optional MAISHOU_INVITE_CODE env var (with a safe default). The only potentially sensitive external credential is the Feishu base_token (used only if you opt into Feishu sync); that token is stored in a repo-local config path (~/.openclaw/data/price-check/config.json) when you enable the feature. No AWS/GCP/other tokens are requested.
Persistence & Privilege: okThe skill persists only to its own data directory (~/.openclaw/data/price-check/) and creates a local SQLite DB; this matches the declared purpose (history accumulation). always:false (no forced global inclusion). The skill does call lark-cli via subprocess for optional Feishu sync — that runs an external binary only if you enable Feishu sync and supply tokens.