Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (web scraper) match the presence of curl as a required binary. However, marketing claims (continuous 24x7 operation, API integrations) suggest runtime components and credentials that are not declared. Also the metadata lists a 'primary credential' of 'bash', which is not a normal credential and is unexplained.
Instruction Scope
SKILL.md contains only descriptive/marketing text and an installation command; it does not instruct the agent to read system files, environment variables, or contact any hidden endpoints. There are no runtime commands or file I/O instructions embedded in the skill content itself.
Install Mechanism
No install spec and no code files are included (instruction-only skill). That minimizes immediate install-time risk; however the SKILL.md references 'clawhub install smart-data-scraper' which would fetch content from the registry at install time—the registry source is 'unknown' and there is no homepage, so the provenance is unclear.
Credentials
The skill declares no required environment variables but claims API integrations and continuous operation; these typically need credentials. The metadata's 'primary credential' is set to 'bash', which is nonsensical for a credential and indicates a misconfiguration or sloppy metadata. This mismatch is a red flag because required secrets or access needs are not transparently declared.
Persistence & Privilege
always is false and there are no requested config paths or system modifications. The skill does not request persistent/system-level privileges in the provided metadata.
What to consider before installing
This skill appears to be a marketing/placeholder instruction-only skill for a web scraper. Before installing: (1) Ask the publisher to explain the 'primary credential: bash' entry and to list exactly which credentials (if any) the skill needs for its API integrations; (2) Verify the skill's provenance—there is no homepage and the source is unknown; prefer skills from known maintainers; (3) Do not provide any sensitive credentials (AWS, database, or site admin tokens) until you see concrete code and understand how they'll be used; (4) If you install, inspect the code downloaded by clawhub (if any) before running it and run it in a sandboxed environment; (5) Be aware scraping can violate target site terms of service or legal restrictions—confirm it's appropriate for your use case.Like a lobster shell, security has layers — review code before you run it.
latestvk971drnv1d0p7p7h4grrsha96983fey8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binscurl
Primary envbash