Skillv1.0.0

ClawScan security

Web Article to Obsidian · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 6:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (scrape web articles into an Obsidian vault) is plausible, but there are multiple inconsistencies and risky assumptions (missing install steps for required packages, mismatched env var declarations, and a hardcoded /root vault path) that warrant caution before installing or running it.
Guidance: This skill generally does what it says (scrapes articles and writes Markdown), but there are several red flags you should address before installing or running it: - Clarify env vars: _meta.json and SKILL.md reference TAVILY_API_KEY, but the top-level registry lists none. If you plan to use Tavily fallback, set & protect TAVILY_API_KEY; otherwise confirm the skill behaves when the key is absent. - Fix the vault path: unified_fetch.py hardcodes VAULT_BASE = '/root/Documents/Obsidian Vault/llm-wiki'. Change this to a user-configurable path (or the agent's home directory) before running, especially if the agent will not run as root. - Install dependencies deliberately: the skill expects Python packages (playwright, requests, beautifulsoup4) and optionally the firecrawl CLI. There is no install script — ensure these are installed from trusted sources (PyPI, official Playwright docs, official Firecrawl) in a sandboxed environment first. - Review subprocess usage: the script invokes external commands (e.g., firecrawl via subprocess). Confirm what commands will be run and that no unexpected network endpoints or payloads are contacted. Audit the full unified_fetch.py for any hardcoded remote endpoints or telemetry. - Run in a sandbox: test the skill in an isolated environment or container, not on a production machine or a host with sensitive files, until you are comfortable with where it writes files and what network calls it makes. If the author can supply: (1) a corrected registry manifest that lists required env vars and installation steps, (2) an option to configure the vault path (or default to a non-root home path), and (3) an explicit install spec or instructions, my assessment would move toward benign. As-is, treat it as 'suspicious' due to the inconsistencies and filesystem assumptions.

Review Dimensions

Purpose & Capability: noteThe name and description match the code and instructions: the skill fetches web articles, cleans them, classifies by industry, and writes Markdown into an Obsidian-style vault. Declared dependencies (playwright, requests, beautifulsoup4) and optional CLI (firecrawl) are coherent with that purpose. However, registry-level metadata at the top claims 'Required env vars: none' while _meta.json and SKILL.md reference TAVILY_API_KEY — an inconsistency. Also the script hardcodes a vault path under /root, which is surprising for a user-level Obsidian integration and is not documented in SKILL.md.
Instruction Scope: concernSKILL.md instructs use of multiple extraction methods including agent-provided Hermes tools and external tools (Playwright, Tavily API, Firecrawl). The included Python script will create directories and write files into the filesystem (VAULT_BASE = '/root/Documents/Obsidian Vault/llm-wiki'), and invokes external tooling (Playwright, subprocess calls like firecrawl). These actions go beyond purely ephemeral network requests: they persist data on disk and may spawn CLI processes. The instructions do not document asking the user to confirm or configure the vault path, nor do they clearly limit access to a user-specified directory.
Install Mechanism: concernThere is no install spec (instruction-only), yet _meta.json lists Python and packages (requests, beautifulsoup4, playwright) and optional firecrawl CLI. Without an install mechanism, runtime may fail or the agent may attempt to run code that depends on missing packages. The lack of an explicit, trusted install source for Playwright/firecrawl and no automated environment checks is an operational risk and an incoherence between manifest and packaging.
Credentials: concern_meta.json and SKILL.md reference TAVILY_API_KEY (Tavily API) but the top-level registry shows 'Required env vars: none'. This mismatch is important: if Tavily is used as a fallback it legitimately needs an API key, and that should be documented and gated. Other than Tavily, no unrelated credentials are requested. The script's hardcoded vault path (/root/...) implicitly assumes write permissions to a root-owned path — an elevated filesystem expectation not declared in metadata.
Persistence & Privilege: concernThe skill writes persistent files to the local filesystem (raw/ and sources/ under a hardcoded VAULT_BASE). While storing to an Obsidian vault is the declared purpose, writing to /root/Documents/Obsidian Vault is a privileged and surprising default. The skill is not marked always:true, but its filesystem persistence and subprocess invocation increase blast radius if run in a privileged environment. The skill does not appear to alter other skills or system config, but the hardcoded path and disk writes are notable.