Skillv2.0.0

ClawScan security

Trip Planner 0to1 Public · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 8:24 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: Skill content largely matches a trip-planning web + sync workflow, but the SKILL metadata understates required tools/credentials and the runtime instructions ask the agent/user to fetch and persist sensitive tokens/cookies and to run remote code (npx/Docker/wrangler), creating inconsistencies you should review before installing.
Guidance: What to watch for before installing/use: - Declared vs actual requirements: The skill metadata claims no required binaries or env vars, but the instructions and templates expect Node (node/npx), Docker (optional), Cloudflare Wrangler, and API tokens/cookies. Treat that as an omission — ensure you have or isolate the required tooling before running. - Sensitive secrets and cookies: The todo-sync template and examples include fields for GitHub Gist PAT, JSONBin master key, Cloudflare KV ids, and even an option to paste a xiaohongshu cookie. Do NOT paste secrets into files that may be checked into repos or exposed publicly. Prefer local-only sync (SYNC_BACKEND='local') or a secured Cloudflare Worker you deploy yourself rather than embedding tokens into HTML/JS served to users. - Remote code execution risk: The workflow recommends running npx packages and pulling a community Docker image. npx executes remote npm packages (arbitrary code). Only run these after inspecting the package source and ensuring you trust the maintainer. Same with any Docker image. - Local file writes and persistence: Scripts will create files (e.g., ~/.mcp/rednote/cookies.json, /tmp/<page>.html, trip-sync data dir). Be aware where credentials/cookies are stored and secure those paths (file permissions, do not expose backups publicly). - Auto-update / version check: The skill runs a shell command on load to check remote version and may run 'clawhub update' with user consent. If you allow the agent to run autonomously, consider disabling auto-update or requiring explicit approval for updates. - Recommended mitigations: run the tool in an isolated environment (container or VM) when first trying it; prefer the local-only backend until you verify remote sync options; inspect the npm/Docker package repositories before installing; never embed long-lived credentials in client-side JS; and restrict automatic agent actions (decline auto-update without manual review). Overall: the skill appears to implement what it claims, but the missing declarations about required tools/credentials and the guidance to run remote packages and persist cookies/pats make it suspicious until you review and lock down those pieces.

Review Dimensions

Purpose & Capability: noteThe name/description (end-to-end trip planner with Markdown + multi-page website + todo sync) matches the shipped templates and scripts (HTML templates, patch scripts, todo sync, Cloudflare/self-host examples). However the skill metadata declares no required binaries or environment variables while the instructions and templates clearly expect Node (node, npm/npx), Docker (optional), wrangler/Cloudflare tooling, and optional API tokens/cookies (GitHub Gist PAT, JSONBin master key, Cloudflare KV id, xiaohongshu cookie). That mismatch between declared requirements and actual usage is an incoherence to note.
Instruction Scope: concernSKILL.md mandates a silent version check on load that runs a shell command (clawhub inspect) and, if the user agrees, will run clawhub update. The instructions also direct the user/agent to run npx packages (xiaohongshu-mcp) that persist cookies to ~/.mcp/rednote/cookies.json, to copy/modify todo-sync.js embedding API keys or tokens, to run Node patch scripts that read/write /tmp HTML files, and to deploy Cloudflare Workers or a self-hosted Node sync service. These steps involve reading/writing local files, persisting credentials/cookies, and executing remote code — all beyond simple prompt-only behavior and worth explicit user consent and review.
Install Mechanism: noteThere is no formal install spec (instruction-only), which reduces platform-level install risk. But runtime guidance recommends running npx packages, pulling a community Docker image (xpzouying/xiaohongshu-mcp), installing Node scripts, and using wrangler — each of which executes code fetched from external sources. This is expected for the described functionality, but it increases runtime trust surface (untrusted npm/Docker).
Credentials: concernThe skill metadata lists no required env vars or primary credential, but the templates and instructions expect the user to provide sensitive secrets in configs or files: GitHub Gist PAT (GIST_CONFIG.token), JSONBin masterKey, Cloudflare KV id and possibly Worker binding IDs, and browser cookie values (xiaohongshu_cookie) or cookie files under ~/.mcp/rednote/cookies.json. Asking users to paste PATs/cookies into files or into script constants is sensitive and should have been reflected in requires.env and documented with security guidance.
Persistence & Privilege: notealways:false (good). The skill does not request to be always-on or to modify other skills. One point to note: SKILL.md requires a silent on-load version check (clawhub inspect) and may run clawhub update if the user agrees — that implies the skill can trigger code updates. Autonomous invocation is allowed (platform default); combining that with automatic update behavior and runtime remote package execution increases blast radius if mishandled, so consider requiring explicit user consent for updates and installs.