Skillv1.0.1

ClawScan security

mailprocess · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 3:21 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match a browser-automation low-code builder (mali-builder), but metadata/packaging inconsistencies (skill name 'mailprocess') and the scripts' broad JS injection/click logic warrant caution before installing or granting browser-control privileges.
Guidance: Key things to consider before installing: - Name mismatch: the metadata lists the skill as 'mailprocess' while all docs and scripts implement 'mali-builder'. Ask the publisher why the identifier differs and verify you got the intended package. - Browser automation risks: the scripts will programmatically open Chrome, inject JS into pages and click buttons (falling back to 'click the last button' if unsure). That can cause unintended actions — do not run on a machine/browser/profile that is logged into sensitive services. - Inspect and test: review the AppleScript/JS in scripts/launch-mali-builder.* to ensure it only interacts with the intended target domain (the code opens lowcode.baidu-int.com but the JS selectors run in whatever tab is active). Consider restricting the script to verify the page origin before injecting or clicking. - Least privilege testing: run in an isolated user account or VM, with a browser profile that has no sensitive cookies or credentials, and on a network where the target URL is reachable (README states internal/VPN). - Deployment: if deploying via ducc/zulu, verify what permissions the platform will grant (browser_control, network_access). Don't grant 'always-on' or elevated privileges unless you trust the publisher. - If you cannot verify the package origin or the maintainer, prefer manual workflow: open the target site yourself and paste the requirement instead of allowing automated injection. If you want, I can produce a safer variant of the launcher that verifies document.location.host before injecting or prompts the user to confirm the exact button to click.

Review Dimensions

Purpose & Capability: concernThe declared repository/README and SKILL.md all describe a 'mali-builder' that opens Chrome, injects JavaScript into a web page and clicks buttons to submit a user's requirements to https://lowcode.baidu-int.com/ai-coding. However the top-level name in the provided skill metadata is 'mailprocess' which does not match the described purpose. This name mismatch is an incoherence that could be accidental or deliberate (packaging/identifier mismatch). Other requirements (ducc integration, browser control and network access in README/skill.yaml) align with the described functionality.
Instruction Scope: concernSKILL.md and the included scripts instruct the agent to programmatically open the user's Chrome, insert arbitrary text into page inputs, dispatch input/change events, and click buttons. The JS/AppleScript will try multiple generic selectors and fall back to clicking the last button on the page if it cannot find a target — a very broad action that could trigger unintended actions on other pages. The instructions do not read unrelated local files or request environment secrets, but they do perform privileged UI automation and DOM mutation on a live page, which can have unexpected side effects. There is no explicit telemetry/exfiltration in the code, but the mechanism (injected JS) could be modified to read page content or send data elsewhere, so granting browser-control is sensitive.
Install Mechanism: okNo external downloads or package installs are performed. The project is an instruction+scripts bundle with an install helper that packages files or uses ducc-cli if present. There are no URLs fetching arbitrary archives or use of shorteners — install scripts are local and simple. This is relatively low-risk compared to remote binary downloads.
Credentials: noteThe skill requests no environment variables or secrets in metadata. README/skill.yaml mention permissions such as 'browser_control' and 'network_access' which are proportionate to a web automation skill. There are no unrelated credentials requested. Still, because the skill controls the browser and sends data to an internal URL, users should ensure no sensitive secrets (cookies, tokens, or confidential text) are passed as the 'requirement' parameter.
Persistence & Privilege: okalways: false; the skill does not request always-enabled or system-wide configuration changes. The install script packages and uploads files to ducc, but does not modify other skills or agent-wide settings. The primary privilege is runtime browser-control which is expected for this use-case but sensitive.