Back to skill
Skillv1.0.0
ClawScan security
ScrapeBadger · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 6, 2026, 3:22 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it documents a scraping REST API, requires a single API key, has no install steps or extra binaries, and its runtime instructions stay within the stated purpose.
- Guidance
- This skill appears coherent and only needs an API key for the documented scraping endpoints. Before installing: verify the provider (scrapebadger.com) and that the docs/dashboard URLs are legitimate; prefer issuing a limited/revocable API key (not a long-lived all-access secret); review billing/credit usage and rate limits; confirm scraping these targets complies with Twitter/X, Vinted, and site Terms of Service and privacy rules for your use case; and if you do not want the agent to call the service autonomously, restrict or monitor agent invocation. Also note a minor metadata omission in the registry (primary credential unset) — you may want to confirm the skill author and repository if you need a higher assurance level.
Review Dimensions
- Purpose & Capability
- okName/description match the declared capability (web scraping for Twitter/X, Vinted, and general sites). The only required secret is SCRAPEBADGER_API_KEY, which is appropriate for a third‑party web API client. The package.json repository URL and the SKILL.md base URL point to a single provider, so what the skill claims is consistent with what it requests.
- Instruction Scope
- okSKILL.md is instruction-only and tells the agent to use the web_fetch tool to call documented endpoints and include X-API-Key: $SCRAPEBADGER_API_KEY. It does not instruct the agent to read other files, system credentials, or unrelated environment variables, nor to exfiltrate data to unexpected endpoints. (It does list some provider URLs like docs.scrapebadger.com and mcp.scrapebadger.com for reference; those are informational only.)
- Install Mechanism
- okNo install spec is present and there are no code files beyond package.json and SKILL.md, so nothing will be downloaded or written to disk by an installer. This is the lowest-risk pattern for an OpenClaw skill.
- Credentials
- noteOnly one environment variable is required (SCRAPEBADGER_API_KEY), which is proportionate to a service integration. Minor registry metadata inconsistency: 'primary credential' is listed as none in the registry though an API key is required—this is an administrative metadata omission, not a functional mismatch.
- Persistence & Privilege
- okThe skill does not request permanent presence (always:false) and does not ask to modify other skills or system configuration. Autonomous invocation (disable-model-invocation:false) is the default and not a red flag by itself.