by 安全扫描
OpenClaw
安全
high confidenceBuyWise's code and runtime instructions align with its shopping/advice purpose; it asks for no unrelated credentials and its behavior is consistent with extracting prices/reviews from public storefronts and trackers.
评估建议
This skill appears internally consistent and focused: it uses a browser tool to read public product pages and price-history sites and does not request credentials. Before installing, confirm you trust the agent's browser capability (gstack) and the CouponClaw skill it may call, since those components will access external websites on your behalf. Also remember BuyWise extracts public web data only — always verify any final prices or payment details directly on the retailer's site before purchasin...详细分析 ▾
✓ 用途与能力
Name/description (price comparison, review summarization, deal-checking) match the included scripts and SKILL.md. The skill explicitly recommends the gstack 'browser' capability and calls out CouponClaw for coupons — these are coherent dependencies for live page scraping and coupon lookup. No unrelated credentials, binaries, or config paths are requested.
✓ 指令范围
SKILL.md instructs the agent to use the browser tool and web_search to fetch public pages (smzdm, Amazon, CamelCamelCamel, Google Shopping, AliExpress, Temu, Reddit, etc.) and to extract prices/reviews. The instructions do not ask the agent to read local files, environment variables, or system secrets, nor to transmit collected data to any hidden endpoints. It does recommend running 'openclaw run couponclaw' to find coupons — a clear cross-skill call that is expected for coupon functionality.
✓ 安装机制
No install spec is provided (instruction + scripts only). The package contains Node.js scripts and package.json but nothing is downloaded from third‑party URLs during install. This reduces supply-chain risk; runtime depends on the platform's browser capability (gstack) rather than bundled native installers.
✓ 凭证需求
The skill declares no required environment variables, primary credentials, or config paths. The runtime instructions don't access environment secrets. The requested external capabilities (browser via gstack, optional CouponClaw) are proportionate to the stated functionality.
✓ 持久化与权限
always is false and the skill is user-invocable (defaults). It can be invoked autonomously per platform defaults, which is normal for skills; it does not request elevated or persistent system-wide privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.4.02026/4/22
- Dependency information updated in package.json; no user-facing features changed. - No changes to user experience or skill behavior.
● 无害
安装命令
点击复制官方npx clawhub@latest install buywise
镜像加速npx clawhub@latest install buywise --registry https://cn.longxiaskill.com