Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Competitor Monitor
v2.0.0竞品价格监控助手,自动追踪竞品价格变动、上下架状态,支持淘宝/京东/拼多多/亚马逊。
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (competitor price monitor) align with the included scripts: they fetch prices from Taobao/JD/PDD/Amazon, save history, and send webhook/email notifications. However, the SKILL metadata lists required binaries ['python3','uv'] — python3 is justified, but 'uv' is never referenced in the code or docs and appears unnecessary or a typo (e.g., maybe meant 'uvicorn'). This is a minor incoherence to confirm with the author.
Instruction Scope
SKILL.md instructs editing config files and running the Python scripts; the scripts do exactly that: perform HTTP requests to e‑commerce pages/APIs, parse HTML/JSON via regex, save history and markdown reports to an output directory, and post to webhook URLs. The instructions and code do not request access to unrelated system files or unknown external endpoints beyond configured webhooks/APIs. They do perform network IO and write local files (history/reports), which is expected for this purpose.
Install Mechanism
There is no install spec (instruction-only), and source files are included. No external archive downloads or package installs are specified — lowest install risk. The presence of code files without an explicit install is coherent for a skill that runs python scripts, but you should note the repository includes runnable code that will execute network requests when run.
Credentials
The skill declares no required environment variables, which is consistent with the code that reads webhook/SMTP credentials from config JSON files. The config contains webhook URLs and an email password field; those are expected for notification functionality but are sensitive — they are stored in plain JSON files, not declared env vars. Also note the unexplained 'uv' binary requirement in metadata (not used by code).
Persistence & Privilege
always is false and the skill does not request elevated privileges or modify other skills. It writes history and report files under its own scripts/output directory (normal for this app) and does network calls; no evidence it persists beyond its own files or alters agent/system configuration.
What to consider before installing
This skill appears to implement the advertised price-monitoring features, but review these points before installing:
- The metadata requires a binary named 'uv' which the code does not use — confirm whether this is a typo (e.g., uvicorn) or an unexplained dependency. Don't install unknown binaries without confirmation.
- The scripts perform web scraping and call external APIs and webhooks. Only provide webhook URLs, SMTP credentials, or other secrets if you trust the skill source; credentials are stored in plain JSON files in the skill directory.
- Run scripts in a sandbox or non-production environment first (try scripts/demo.py to test local behavior) and inspect config/notify.json before enabling notifications.
- Be aware of legal and platform risks of high-frequency scraping; the README and SKILL.md already recommend using proxies and avoiding excessive frequency.
- If you need higher assurance, ask the author for an explanation of the 'uv' requirement and for an explicit list of third-party APIs the production version will call (the code contains simulated Taobao responses and direct JD API calls).Like a lobster shell, security has layers — review code before you run it.
latestvk97fth5fkj3v9xayjez4dnzta183ggmd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
👀 Clawdis
Binspython3, uv