Skillv2.0.1

ClawScan security

爬论文与人才触达工作流 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 10:30 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description and scripts (web scrapers, Feishu integration, BrightData usage) match its stated purpose, but the runtime instructions expect multiple credentials, external services, and sensitive operations that are not declared in the registry metadata—this mismatch and the targeting/ethnicity-identification behavior are concerning.
Guidance: This skill contains full scraping scripts and explicit instructions to use OpenReview credentials, BrightData MCP tokens, and Feishu app_tokens to read and write user data, but the registry entry does not declare any required environment variables or permissions—this is a mismatch you should not ignore. Before installing or enabling it: 1) Require the author to declare exact env vars and scopes (OpenReview, BrightData, Feishu) and justify each; 2) Review and audit the scripts in a sandboxed environment (network-isolated VM) to confirm exactly what endpoints are called and what data is transmitted; 3) If you plan to connect Feishu or other production systems, use a limited-test account with minimal scopes and never reuse high-privilege tenant credentials; 4) Be aware the skill performs bulk email extraction and demographic ("华人") classification — verify legal/ethical compliance in your jurisdiction and organizational policy before using; 5) Prefer an explicit opt-in trigger (do not allow the skill to auto-run on vague matching intents) and require human approval before performing writes to external services. If the author cannot or will not clearly document required credentials and data flows, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: concernThe name/description (discover AI/ML researchers and generate outreach) matches the included scripts (openreview_scraper, cvf_paper_scraper, github_network_scraper, lab_member_scraper, cloudflare_email_decoder, serper_search, httpx_scraper). However the SKILL.md and README repeatedly instruct use of credentials and external services (OpenReview username/password, BrightData MCP token, Feishu app_token/table access) even though the registry metadata lists no required environment variables or credentials. Also the README/refs include many Feishu scopes and BrightData usage examples which are not reflected in requires.env—this mismatch is disproportionate and unexplained.
Instruction Scope: concernThe SKILL.md instructs the agent to perform network scraping, decode Cloudflare-protected emails, extract and write CSV to /tmp, parse Feishu multi-dimensional table links to pull app_token/table_id, read and update Feishu records in bulk, and call BrightData MCP. It also instructs automatic triggering whenever user intent matches ("should be triggered even if user didn't explicitly say 'use Mapping-Skill'"). These instructions request access to sensitive data (personal emails, profiles) and sensitive actions (bulk writing to Feishu, generating outreach). They also direct the agent to use credentials that are not declared, and to perform ethnicity detection ("识别华人"), which is a sensitive classification. The instruction scope therefore goes beyond simple search tasks and requires clear, declared permissions and user consent.
Install Mechanism: noteThere is no install specification in the registry (instruction-only), which is lower risk than arbitrary downloads. However the repository contains many Python scraper scripts and the README lists Python package dependencies (requests, BeautifulSoup, httpx, openreview-py, PyMuPDF, pandas, etc.). Those dependencies and any time-of-run network calls are not declared in the registry manifest. The absence of an install step means operators may run these scripts in an environment without expected sandboxing or dependency checks; this is a practical risk but not a direct sign of maliciousness.
Credentials: concernThe skill declares no required environment variables or primary credential, yet the SKILL.md and README explicitly show code and examples that require: OpenReview username/password (OPENREVIEW_USER/OPENREVIEW_PASSWORD), BrightData MCP token (mcp URL token), and Feishu app_token / API credentials. The README also lists broad Feishu scopes. Requesting/using these credentials is proportionate for the described integrations only if they are explicitly declared and limited; the lack of declared env vars/config paths is an incoherence and increases the chance of accidental credential leaks or misuse. Additionally, the skill's built-in capability to identify '华人' (Chinese authors) is a sensitive demographic classification and requires careful justification and consent.
Persistence & Privilege: notealways:false and disable-model-invocation:false are standard. The SKILL.md's guidance that the skill 'should be prioritized' or 'should trigger even if user didn't explicitly request it' implies broad auto-invocation for matching intents; while autonomous invocation itself is normal, the combination with undisclosed credential needs and operations that modify external systems (Feishu batch updates) raises a surface-area concern. The skill does not request persistent 'always:true' privileges in the registry metadata.