Skillv1.0.0

ClawScan security

Traktor Web Scraper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 3:20 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match a web-scraper purpose, but they include aggressive, high-coverage scraping (parallel background agents), unsanitized shell command substitutions for directory names, and rely on a browser-extension MCP — these details raise operational and data-exfiltration risks that are not addressed in the SKILL.md.
Guidance: This skill appears to be a high-coverage web scraper and is coherent with that purpose, but it has operational risks you should consider before installing: - Sanitize input: The SKILL.md substitutes a derived {site-name} directly into mkdir bash commands. A specially crafted URL could lead to unsafe directory names or path/command injection. Only run this against sanitized or trusted inputs, or ensure the implementation safely escapes filenames. - Resource and scope control: The skill spawns background Task subagents and promises 'paranoid' thoroughness. That can create many concurrent crawlers, consume large bandwidth/storage, and potentially overload systems or your agent environment. Limit the number of parallel jobs and set clear depth/size limits before running. - Data sensitivity: The scraper runs JavaScript in page context and will download whatever assets it finds. Do not run it against authenticated/private dashboards or sites with sensitive data you do not own — it can capture private content and credentials present in pages. - Browser-extension dependency: It requires the claude-in-chrome MCP server (a browser extension) to function. Installing or enabling that extension is a separate trust decision because it gives the extension access to pages visited during scraping. - Test in a sandbox: Before using on real targets, run the skill in a controlled environment with harmless test sites to confirm behavior (what it downloads, how it names files, and how many background agents it spawns). If you want to proceed, ask the skill author (or the platform integrator) to: (1) explicitly document and enforce filename/path sanitization, (2) provide configurable limits for concurrency and crawl depth, and (3) state whether the Task tool yields any external network uploads or telemetry beyond saving to PROJECT_DIR.

Review Dimensions

Purpose & Capability: okThe name/description (extract all site assets) aligns with the instructions: create asset folders, drive a browser via mcp__claude-in-chrome__* tools, run page JS to discover assets, and spawn Task subagents to process each site. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: concernInstructions direct the agent to create directories in the current working directory, spawn background Task subagents for each URL, navigate pages, run arbitrary JS in page context, and perform thorough crawling. The SKILL.md does not require or show any sanitization of derived values (e.g., {site-name} used directly in mkdir commands) — this can lead to shell/path injection or unintended filesystem writes. The spec also enables wide crawling (likely including following links and downloading many assets) which can capture sensitive or private content and consume large amounts of bandwidth/storage.
Install Mechanism: okInstruction-only skill with no install spec or code files reduces installer-side risk. The skill does require an external browser-extension MCP to be present (claude-in-chrome), but does not attempt to install it.
Credentials: okNo environment variables, credentials, or config paths are requested. This is proportionate for a scraper that operates via the browser automation tools described.
Persistence & Privilege: notealways is false and disable-model-invocation is false (normal). However, the skill instructs use of the Task tool with run_in_background=true to spawn parallel subagents — combined with its 'paranoid' thoroughness this can create many autonomous background tasks and heavy resource usage. The skill does not request modification of other skills or system-wide settings.