Skillv1.0.0

ClawScan security

Kura Sushi Booking (E-Pai-Ke) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 12:19 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The instructions match the stated booking automation purpose, but they inconsistently assume access to local credential files and suggest running injected JS / Playwright without declaring required credentials or installs — this mismatch could expose secrets or cause unexpected file access.
Guidance: This instruction-only skill appears to do what it says (automate bookings on e-pai-ke) but has important gaps and privacy risks. Before installing or using it, confirm: (1) where and how you will supply login credentials — prefer explicitly-declared secure env variables rather than a plaintext notes file in the workspace; (2) whether the agent is allowed to read e-pai-ke/notes.md or any other local files (the SKILL.md references this path but the manifest doesn't declare it); (3) if you plan to follow the Playwright suggestion, install Playwright/Node yourself from official sources and inspect any scripts before running; (4) avoid storing passwords in plaintext files accessible to the agent. If you can't verify the skill author or control where credentials come from, treat it cautiously. Asking the skill author to update the manifest to declare required credential inputs (and to document secure handling) would reduce the risk.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (E-Pai-Ke booking) aligns with the actions described (navigate site, login, book, cancel). However, the SKILL.md implicitly requires account credentials (for login) and references a specific local file path (e-pai-ke/notes.md) even though the skill metadata declares no required credentials or config paths.
Instruction Scope: concernRuntime instructions tell the agent to inject JavaScript into web pages to fill credentials and to read login info from a local file (e-pai-ke/notes.md). Those file-access instructions are not declared in the skill manifest and grant the agent permission to read potentially sensitive workspace files. The JS injection approach and Playwright guidance also give the agent discretion over credential usage without explicit secure handling rules.
Install Mechanism: noteThere is no install spec (instruction-only), which minimizes disk writes. The README recommends using Playwright for reliability, but does not provide an install step or declare the need for Node/Playwright — a gap that will require manual setup and could lead users to run unvetted binaries/scripts.
Credentials: concernNo environment variables or primary credentials are declared, yet the skill requires account credentials to operate and points to a specific local notes file as the credential source. This is a mismatch: sensitive secrets are implied but not explicitly requested or scoped, increasing the risk of accidental exposure or unexpected file reads.
Persistence & Privilege: okThe skill does not request always-on presence and uses normal autonomous invocation settings (disable-model-invocation is false). It does not claim to modify other skills or system-wide settings.