Skillv1.0.0

ClawScan security

ds160-autofill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:17 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what its name says (automatically fill DS-160 forms), but its runtime instructions and script routinely read/write sensitive personal data and explicitly instruct sending page HTML, screenshots, and element context to LLM/image tools — behavior that can leak PII and is not clearly constrained or justified.
Guidance: This skill automates DS-160 filling but will read and store highly sensitive personal data (passport numbers, national IDs, SSNs, security question answers) in workspace files and will take and send screenshots and page HTML to LLM/image tools. Before installing: (1) review the full ds160-filler.js yourself or with someone you trust; (2) confirm where the session and CSV files will be stored and consider using an isolated/ephemeral workspace (set OPENCLAW_WORKSPACE to a safe directory); (3) avoid putting extremely sensitive fields in the CSV or disable any automatic LLM/image calls that would transmit them; (4) ensure the LLM/image endpoints you trust have appropriate privacy guarantees; and (5) if you are not comfortable with potential external transmission of PII, do not enable this skill.

Review Dimensions

Purpose & Capability: noteName, SKILL.md, YAML and CSV templates are consistent with an automated DS-160 autofill tool: CDP for element location, CSV input, YAML mappings and session persistence all align with the stated purpose. The skill's use of an LLM for translation and element-location assistance is plausible for complex fields.
Instruction Scope: concernThe runtime instructions explicitly direct the agent to: read user CSV (contains passport/ID/SSN examples), read/write session files including securityQuestion/securityAnswer, take screenshots of captcha areas, and send page snapshots/HTML and element info to the LLM/image tool. Those steps will expose highly sensitive PII to any external service the LLM/image tool uses and grant the skill broad discretion to collect and transmit form contents.
Install Mechanism: okThere is no install spec (instruction-only plus included script and reference files). No remote downloads or package installs are requested, which reduces supply-chain risk. The presence of local JS and reference files means code will be executed by the agent runtime; evaluate that code before running.
Credentials: concernThe skill requests no explicit credentials, but the script reads and writes files in a workspace (uses OPENCLAW_WORKSPACE or defaults to a hardcoded /home/jasonzhao/.openclaw/workspace). It stores security question/answer and application IDs in plaintext session files and will process national ID / passport / SSN fields from CSV — all highly sensitive. Using LLM/image tools to resolve translation/captcha implies sending that sensitive content externally. The hardcoded workspace default is also a minor red flag (developer path baked in).
Persistence & Privilege: okalways is false and the skill is user-invocable. It persists session state to files within the workspace, which is expected for resume capability; this is normal but increases the sensitivity of what is stored on disk.