Skillv1.0.0

ClawScan security

name: cccfindg · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 8:39 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (searching a corporate address book) matches its instructions, but the runtime instructions ask the user to log into the target site inside a hosted/browser automation environment and automate scraping of sensitive personnel data — this raises privacy and credential-exposure risks that are not addressed in the documentation.
Guidance: This skill automates browsing and scraping of an internal address-book and asks you to log in inside the agent's hosted browser. Before installing or using it: (1) avoid entering corporate credentials into a remote/hosted browser unless you trust the execution environment; prefer copying session data or using an API if available; (2) confirm compliance with your org's privacy policy before automating extraction of employee PII (IDs, phone numbers); (3) test on non-production or dummy accounts first; and (4) if you cannot ensure the hosted browser environment is trusted, do not use this skill — prefer a design that requires you to paste query results manually or a server-side API with scoped credentials.

Review Dimensions

Purpose & Capability: okThe name/description and the SKILL.md consistently describe querying a corporate address-book by organization + position and returning employee contact info. The required capabilities (web browsing, finding form fields, pagination, extracting fields) align with that purpose.
Instruction Scope: concernInstructions require opening a hosted browser to https://222.222china.com/address-book/login, detecting login state, asking the user to perform login in that browser, then automating searches and scraping employee IDs, names, phones, etc. Asking users to log into a hosted/agent-controlled browser can expose credentials and session cookies to the agent environment. The skill also automates full-page scraping and pagination for potentially sensitive PII but does not include any safeguards (e.g., logging policy, data minimization, or destination limits).
Install Mechanism: okThis is instruction-only (no install spec, no downloaded code), so nothing is written to disk by the skill package itself. That limits install-time risk.
Credentials: concernThe skill requests no environment variables or external credentials, which is consistent, but it implicitly requires network access and a hosted browser session where the user will log in. That implicit requirement can lead to credential/session exposure. The SKILL.md does not request credentials explicitly (good) but does instruct the user to authenticate inside the agent's browser (risky for sensitive corporate accounts).
Persistence & Privilege: noteThe skill is not force-enabled (always: false) and has no install-time persistence. The agent is allowed to invoke the skill autonomously (platform default) — combined with the ability to open pages and scrape data, this increases blast radius if the skill were misused, but on its own this is a normal configuration.