Is ecommerce-price-comparison safe?
https://clawhub.ai/birdme007/ecommerce-price-comparison
This e-commerce price comparison skill contains executable Python code that makes outbound HTTP requests to Chinese e-commerce platforms (JD.com, Taobao, Tmall, Pinduoduo) and instructs the agent to run scraping scripts. While no direct malicious behavior was detected - canary files are intact, no prompt injection was found, and clone behavior was clean - the skill establishes significant outbound network capability through its scraping infrastructure, instructs installation of a full headless browser (Playwright/Chromium), and uses Chinese-language content that creates a review barrier. The combination of legitimate-looking HTTP request channels, proxy infrastructure, and references to multiple unshipped scripts presents a moderate risk profile.
Category Scores
Findings (11)
HIGH Executable Python scripts with outbound network access -35 ▶
The skill contains jd_scraper.py with executable code that makes HTTP requests to external servers (jd.com, taobao.com, pinduoduo). The SKILL.md explicitly instructs running multiple Python scripts. This gives the agent a code execution path with network access.
HIGH Instruction to install Playwright and Chromium browser -25 ▶
The scripts/README.md instructs installing Playwright and downloading a full Chromium browser binary. This gives the agent a headless browser with full JavaScript execution capability, network access, and the ability to interact with authenticated web sessions.
HIGH Outbound HTTP requests to multiple external domains -35 ▶
The skill's core functionality requires making HTTP requests to multiple Chinese e-commerce platforms. While this is the stated purpose, it establishes legitimate-looking outbound network channels that could be used to exfiltrate data. The use of session cookies and custom headers adds to the risk.
MEDIUM Proxy and IP rotation infrastructure -10 ▶
The skill documents proxy configuration and IP rotation strategies. While framed as anti-detection for web scraping, proxy infrastructure can be used to obfuscate the destination of exfiltrated data.
MEDIUM Persistent session with cookies and custom headers -10 ▶
The scraper uses requests.Session() which persists cookies across requests. Combined with custom User-Agent and Referer headers, this could be used to maintain authenticated sessions or track user behavior.
MEDIUM Chinese-language obfuscation of skill instructions -15 ▶
The entire SKILL.md is written in Mandarin Chinese, creating a review barrier for non-Chinese-speaking users and auditors. While no malicious instructions were found upon translation, this language barrier reduces the effectiveness of manual code review.
MEDIUM Skill instructs agent to execute external scripts -10 ▶
SKILL.md directs the agent to run Python scripts for price history tracking and batch comparison. This creates an indirect execution path where the skill's markdown instructions cause the agent to run code.
LOW Skill-chaining risk with network-capable scraping infrastructure -30 ▶
This skill is benign in isolation but becomes dangerous when combined with skills that have filesystem read access. The HTTP request infrastructure could be used as an exfiltration channel for data gathered by other skills.
LOW Referenced scripts not present in repository -30 ▶
SKILL.md references taobao_scraper.py, tmall_scraper.py, pdd_scraper.py, price_comparator.py, report_generator.py, price_history.py, and batch_processor.py, but only jd_scraper.py is present. Missing scripts could be added later with malicious content, or the agent might be prompted to create them.
INFO Network connections during install window are system-level -5 ▶
Connections to 185.125.188.54/57 (Canonical infrastructure) and 216.150.1.1 during install are attributable to system services, not the skill itself.
INFO Filesystem diff shows only pre-existing system files -10 ▶
The baseline filesystem diff shows changes in linuxbrew, go modules, snap cache, and system files - all pre-existing content unrelated to the skill installation.