Skillv2.1.0

ClawScan security

Drission Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 11:37 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill superficially matches a web-automation toolkit (Chrome/CDP, headless helpers) but the packaging and gating claims are inconsistent and rely on an undeclared environment variable and missing wrapper files, which reduces trustworthiness.
Guidance: This package looks like a legitimate web automation toolkit, but several packaging and governance claims do not add up: secure_wrapper.py (the asserted human-in-the-loop entry point) and requirements.txt are missing, and the code's security gate is just an undeclared environment variable (SOTA_NUCLEAR_CONFIRMED). Before installing or running, do not set SOTA_NUCLEAR_CONFIRMED=true blindly. Instead: (1) ask the publisher for the missing secure_wrapper.py and full requirements.txt and verify the wrapper enforces an actual human challenge; (2) inspect all code that would run with SOTA_NUCLEAR_CONFIRMED=true to confirm there are no hidden network endpoints or exfiltration paths; (3) run only in an isolated sandbox or VM, and limit network access if you must test; (4) treat the local TCP relay as sensitive — it can be used to proxy local services (e.g., Chrome remote-debugging) and should be audited. If the maintainer cannot explain the missing files and the gating design, consider this package untrustworthy.

Review Dimensions

Purpose & Capability: noteRequesting google-chrome-stable, xvfb-run, and dbus-launch and Python web/HTML libs aligns with a headless web automation/CDP toolkit. However the SKILL.md and _meta.json claim critical wrapper scripts (secure_wrapper.py, force_takeover.py, ultra_experiment.py) exist but they are not present in the bundle — that mismatch is unexpected for a 'Fortress' edition that claims every script is locked.
Instruction Scope: concernRuntime instructions repeatedly assert that 'secure_wrapper.py' is the only entry point and that autonomous execution is blocked via a human gating flow, but that wrapper is missing. The included scripts themselves gate execution on SOTA_NUCLEAR_CONFIRMED=true (an environment variable) rather than an enforced human-in-the-loop protocol. The instructions also direct 'pip install -r requirements.txt' but no requirements.txt is included. Reliance on an environment variable flag (not declared in requires.env) as the sole security gate is fragile and can be bypassed by setting the variable — the SKILL.md's human-gating claim is therefore misleading.
Install Mechanism: noteThere is no formal install spec (instruction-only), which is low-risk in principle. But the instructions call for pip install -r requirements.txt while no requirements.txt file is bundled. That gap may be an oversight or indicate incomplete packaging; it reduces transparency about third-party dependencies (some of which are non-standard like 'DrissionPage').
Credentials: concernThe code enforces gating via the environment variable SOTA_NUCLEAR_CONFIRMED, but requires.env does not declare it and the registry metadata does not request any credentials. Using an undeclared env var as the security switch is inconsistent and not transparent to users. The scripts open outbound HTTP to arxiv.org (expected for search) and create a local TCP relay (127.0.0.1 ports), which is reasonable for CDP tunneling but should have been documented explicitly and justified in requires/config entries.
Persistence & Privilege: noteThe skill does not request 'always: true' and does not declare special persistence. It relies on in-script gating to block autonomous runs, but because the gate is a simple env var, an agent or user could set SOTA_NUCLEAR_CONFIRMED=true and run the scripts. The claimed 'Autonomous Invocation Blocked' in SKILL.md is therefore only true if the missing secure_wrapper.py is present and enforced — which it is not in this package.