skill everyday
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: skill-everyday Version: 1.0.0 The skill-everyday bundle is a tool designed to scrape the Clawhub website for popular OpenClaw skills and generate local analysis reports. It uses Playwright in scripts/runner.mjs to intercept API calls from clawhub.ai (specifically via wry-manatee-359.convex.cloud) and fetch skill metadata. The script also checks for the presence of local skill directories in the parent folder to include file listings in its reports, a behavior that is transparently documented in SKILL.md. There is no evidence of data exfiltration, unauthorized remote execution, or malicious prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill will contact Clawhub/Convex and create or overwrite local report/state files under the skill's data directory.
The runner drives a browser to fetch public Clawhub data and writes a local report. This is central to the stated purpose, but users should notice the external requests and local file creation.
await page.route('https://wry-manatee-359.convex.cloud/api/query', async (route) => { ... }); await page.goto('https://clawhub.ai/skills', gotoOpts); ... fs.writeFileSync(reportPath, report);Run it only from the intended skill directory, review generated reports before sharing them, and sanitize slugs if adapting the script to less trusted data sources.
Installing the skill as documented may download npm packages and a Chromium browser build.
The skill depends on Playwright from npm with a version range. This is expected for browser scraping but introduces normal package/browser supply-chain considerations.
"dependencies": { "playwright": "^1.49.0" }Install from trusted registries, consider pinning or locking dependency versions, and review npm/Playwright installation prompts in managed environments.
Local reports may persist public Clawhub content plus local path/file-name metadata, which could matter if the report is later shared or reused as agent context.
The skill stores reports and an analyzed list locally; reports may also include a local skill directory path and file names when a matching directory exists.
localFilesNote = `\n### 本地技能目录\n\n\`${targetSkillDir}\`...`; ... fs.writeFileSync(latestPath, report); ... fs.writeFileSync(ANALYZED_FILE, JSON.stringify(analyzedData, null, 2));Inspect reports before sharing, and delete the data directory if you do not want the skill to retain prior analysis state.