Skillv1.0.0

ClawScan security

Abstract Searcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 15, 2026, 5:15 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and APIs match its stated purpose, but the runtime instructions ask the agent to control your real Chrome session and use OS automation (mac-control), which can access private/authenticated data and is not declared or constrained — this mismatch raises privacy and scope concerns.
Guidance: This skill mostly does what it says when using public APIs, but the SKILL.md asks the agent to control your real Chrome session and potentially use OS automation (mac-control) to scrape paywalled pages. Before installing or enabling it: (1) consider running the Python script manually in a local terminal rather than allowing the agent to drive your browser; (2) avoid giving the agent access to your Chrome profile or to any OS automation tools unless you trust it; (3) if you must allow browser fallback, inspect and limit the browser-relay/tooling permissions and run in a separate browser/profile without sensitive logins; (4) review the script yourself (it uses only listed public APIs) and monitor network activity to ensure it only contacts the stated endpoints.

Review Dimensions

Purpose & Capability: okName and description match the included Python script and the listed APIs (arXiv, Semantic Scholar, CrossRef, OpenAlex). The network calls in scripts/add_abstracts.py are consistent with fetching abstracts.
Instruction Scope: concernSKILL.md explicitly instructs the agent to attach to a real Chrome profile, use a browser relay to snapshot pages, click results, and (optionally) use 'mac-control' to auto-click a toolbar icon. Those instructions grant access to any content in the user's Chrome (cookies, logged-in sessions, institutional access) and to OS-level automation, which is broader than simply querying APIs and could expose private data; the skill does not declare or limit this access.
Install Mechanism: okNo install spec; the skill is instruction-plus-a-script only. That minimizes disk-install risk — the Python script runs locally and makes direct API calls.
Credentials: noteThe skill requests no environment variables or credentials (scripts use only public APIs). However, the browser fallback relies on the user's Chrome profile and OS automation to access paywalled pages — this implicitly leverages credentials/cookies stored in the browser even though no creds are declared.
Persistence & Privilege: okalways:false and no special persistence requested. The skill does not modify other skills or system-wide settings (based on provided files). Autonomous invocation is the platform default but is not combined here with other high privileges.