Skillv1.2.5

ClawScan security

Prospairrow Websites MCP · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 28, 2026, 11:18 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (Prospairrow prospecting workflows) matches its code, env requirements, and runtime behavior; a few opt‑in features (reading OpenClaw config, saving browser storage, Playwright browser downloads) are worth noticing but are explained in the SKILL.md and gated by environment flags.
Guidance: This skill appears to be what it says: a local MCP server that talks to Prospairrow and optionally uses Playwright for login flows. Before installing, consider the following: - Use a dedicated, least-privilege Prospairrow API key (do not reuse highly privileged org keys). - The runtime will copy source to ~/.openclaw/runtime/websites-mcp and run npm install (packages from the npm registry). Playwright will download browser binaries on first browser use — expect network egress for that. - By default the runtime will NOT read your ~/.openclaw/openclaw.json; only enable WEBSITES_ALLOW_OPENCLAW_CONFIG_API_KEY if you understand the file contents and accept the fallback behavior. If enabled, the code only looks for the prospairrow-websites-mcp key, but it reads the whole file to get there. - Browser login state (storage) is written to secrets/<site>/auth.json by default; set WEBSITES_DISABLE_STORAGE_STATE_WRITE=1 to prevent writes if you don’t want local session persistence. Invocation logging is off by default; enable WEBSITES_LOG_INVOCATIONS=1 only if you want local logs written. - Inspect src/sites/prospairrow/site.json (allowedHosts/baseUrl) before running to confirm the allowlist matches expected Prospairrow endpoints; the runtime enforces an outgoing request allowlist for Playwright network requests. If you accept the above tradeoffs (local server, local storage of optional login tokens, npm/Playwright downloads), the skill is coherent with its stated purpose. If you are uncomfortable with any of the opt-in behaviors, do not enable those environment flags or run the runtime in read-only mode.

Review Dimensions

Purpose & Capability: okName/description, required env var (PROSPAIRROW_API_KEY), declared tasks, and code modules (src/sites/prospairrow/...) align with a Prospairrow integration for prospect extraction/enrichment. The required config path (skills.entries.mcporter.config.servers.websites-mcp.url) maps to the MCP routing described in docs and is justified by the runtime design. Minor extra site entries (reddit, wordpress) exist but are small, documented, and do not contradict the main purpose.
Instruction Scope: noteSKILL.md and docs instruct the agent/user to install the included runtime, run npm install (with --ignore-scripts), and start a local JSON-RPC MCP server. Runtime code performs expected actions: task dispatch, optional headed login flows (Playwright), saving browser storage to secrets/<site>/auth.json, and optional invocation logging. The only out-of-band reads are an optional, explicit opt-in read of ~/.openclaw/openclaw.json for API key fallback (controlled by WEBSITES_ALLOW_OPENCLAW_CONFIG_API_KEY). There is no code that sends data to unknown remote endpoints beyond normal API calls (Playwright/network calls are subject to an allowlist per site config).
Install Mechanism: noteThis is an instruction-only skill with a packaged runtime and an install script that copies source to $HOME/.openclaw/runtime/websites-mcp and runs npm install --ignore-scripts. Dependencies come from npm (playwright, etc.). npm and Playwright will fetch packages/binaries from their normal registries, and Playwright may download browser binaries on first use. The install process avoids running package lifecycle scripts (ignore-scripts) which reduces supply‑chain risk; overall the install approach is expected for a Node-based local runtime but carries standard npm/Playwright network fetch considerations.
Credentials: noteDeclared required credential is a single PROSPAIRROW_API_KEY (primaryEnv). The runtime also supports an API-key-in-headers override and an optional OpenClaw config fallback (WEBSITES_ALLOW_OPENCLAW_CONFIG_API_KEY) which reads ~/.openclaw/openclaw.json to find skills.entries.prospairrow-websites-mcp.apiKey or env.PROSPAIRROW_API_KEY. That fallback is disabled by default and must be opt-in; review that file before enabling. The runtime writes local storage state and logs under the runtime directory (secrets/ and logs/), which is proportional to the login/storage features but may store sensitive session data — the behavior can be disabled with WEBSITES_DISABLE_STORAGE_STATE_WRITE and logging is opt-in via WEBSITES_LOG_INVOCATIONS.
Persistence & Privilege: okSkill does not request always:true, does not auto-enable itself, and runs a local server only after user starts it. It writes files only under its runtime directory ($HOME/.openclaw/runtime/websites-mcp) and a secrets/ subdirectory for auth storage; this is reasonable for a runtime that optionally stores browser login state. No evidence it modifies other skills' configurations or escalates privileges.