Skillv1.0.0

ClawScan security

Shopping in Sweden · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 7:41 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions coherently implement automated checkout (including using the local CDP interface and reading local files for recipient and card data), but it contradicts its declared metadata (no required config paths / env) and asks the agent to read sensitive local files — a privacy/high-privilege behavior that should be explicitly justified and disclosed before installing.
Guidance: Key things to consider before installing or enabling this skill: - The skill's runtime explicitly reads sensitive files from your home directory (~/Private/用户个人信息.txt and files containing the 'Zupyak Mynt Card'). The registry metadata does NOT declare these config paths — ask the author to declare them and explain why those exact files are required. - The skill uses the local CDP endpoint (ws/http on 127.0.0.1:18800) to control iframes and inject mouse/key events. CDP access can interact with any open browser target and potentially see other pages/tabs. Only allow this skill if you trust its source and you are comfortable with that level of local browser control. - There are hard-coded example card details in the reference files. Confirm these are dummy/test values; never store real card numbers in plaintext files in your home directory. Consider using ephemeral/virtual card numbers (bank-provided one-time cards) instead of a persistent file. - If you want to proceed, require these mitigations: (1) insist the skill author update metadata to list required config paths and any other secrets; (2) require explicit, per-order user confirmation (the SKILL.md already says so — verify the agent enforces it); (3) avoid storing real cards in cleartext and prefer short-lived tokens; (4) run the skill in a restricted/test environment first and monitor network/DevTools activity; (5) prefer manual checkout for high-value purchases. If you cannot get the author to declare and justify the local-file access and to remove hard-coded sensitive values, treat the skill as untrusted and do not enable it with access to your real payment/recipient files.

Review Dimensions

Purpose & Capability: concernThe name/description (shopping in Sweden using a designated card) matches the runtime behavior (search, add to cart, checkout, handle payment iframes). However the skill metadata declares no required config paths or credentials while the runtime instructions explicitly require reading sensitive local files (~/Private/用户个人信息.txt and two payment-card files). That metadata/instruction mismatch is an incoherence and should be corrected/justified.
Instruction Scope: concernSKILL.md instructs the agent to read personal recipient data and payment card details from specific local filesystem paths and to connect to the platform's local CDP endpoint (127.0.0.1:18800) to operate inside cross-origin payment iframes. Reading and submitting private files to external shopping sites is within the stated shopping purpose, but referencing hard-coded local paths (including a Chinese-named file) and using the CDP to control any browser target increases the blast radius and should be explicitly authorized by the user.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files executed by the registry installer, which reduces supply-chain risk. The runtime instructions themselves include Python snippets that the agent would run; that is expected for this kind of skill.
Credentials: concernThe registry declares no required environment variables or config paths, but the instructions require direct access to sensitive local files containing recipient details and the Zupyak Mynt Card. That is disproportionate to the declared metadata and constitutes sensitive credential/file access that should be declared and minimized. The references include an explicit card number/example in the docs — presence of hard-coded card data is alarming and should be removed or marked clearly as a fake/test card.
Persistence & Privilege: notealways is false and the skill is user-invocable; it can be invoked autonomously (platform default). The skill needs direct access to the local CDP interface during a run, which allows controlling browser targets and could access other pages; this is powerful but not permanent. No evidence the skill modifies other skills or requests permanent presence.