Back to skill
Skillv1.0.3
ClawScan security
codropshipping查看商品 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 3:36 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill's instructions, permissions, and lack of extra credentials are consistent with its stated purpose of web-scraping CoDropshipping search results and returning a table.
- Guidance
- This skill appears coherent for scraping CoDropshipping search results, but before installing consider: (1) scraping may violate the site's terms of service—check CoDropshipping's rules; (2) the skill will access the web and render pages via a browser interface, so it can retrieve any public page content; (3) translation steps might cause the agent to use external services (which could require API keys) unless handled internally; (4) avoid frequent automated queries to prevent rate-limiting or blocking; and (5) if you need stronger assurance, ask the publisher for a homepage/source or prefer a skill that uses an official API (with explicit credential handling) rather than page scraping.
Review Dimensions
- Purpose & Capability
- okThe name/description match the SKILL.md instructions: extract search terms, translate to English, browse CoDropshipping search, click search, scrape product fields and return a table. No unrelated environment variables, binaries, or installs are requested.
- Instruction Scope
- okThe runtime steps are narrowly scoped to web access and scraping of search results on CoDropshipping. The instructions do not ask the agent to read local files, access unrelated credentials, or exfiltrate data to third parties. Edge-case handling mentions retrying on anti-scraping rather than evasion.
- Install Mechanism
- okThere is no install spec and no code files (instruction-only), so nothing is written to disk or downloaded during install — lowest-risk installation model.
- Credentials
- okThe skill declares network and browser permissions in SKILL.md (needed for scraping) and requests no credentials or config paths. This is proportionate to the task. One minor note: the instruction to "convert to English" doesn't specify how — the agent might call an external translation API (which could require credentials) if not handled locally.
- Persistence & Privilege
- okalways is false and there is no indication the skill modifies other skills or system-wide settings. It requires ordinary runtime network/browser access only when invoked.