Sui Decompile
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent with its stated purpose of browsing public Sui explorer pages, but users should review its optional headless-browser setup before using it.
This skill appears safe for its stated purpose of reading public Sui contract source from explorer websites. Before using the optional Puppeteer/xvfb workflow, review any local scraper code, avoid unnecessary sudo commands, and keep browser sandboxing enabled unless you understand why it must be disabled.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may open external websites and extract contract code from them on the user's behalf.
The skill instructs the agent to use a browser tool against third-party explorer pages and scrape page contents. This fits the skill purpose, but users should ensure the agent only visits intended package URLs.
browser action=open profile=openclaw targetUrl="https://suivision.xyz/package/{package_id}?tab=Code"Use the skill for specific package IDs you intend to inspect, and verify important extracted code against the explorer page.
If the user chooses the headless setup, it may install system packages and run local JavaScript code.
The server/headless section provides optional local shell commands to install xvfb and run a Node scraper. They are documented as setup examples, not hidden execution, but they would affect the local system if followed.
sudo apt-get install xvfb xvfb-run --auto-servernum node scraper.js
Only run the optional setup commands if needed, review any scraper.js code first, and avoid using privileged installation commands unless you trust the environment.
A browser exploit on an external page would have fewer sandbox protections if this optional configuration is used.
The Puppeteer example disables browser sandbox protections while visiting external websites. This is disclosed and optional, but it weakens an important browser safety boundary.
args: ['--no-sandbox', '--disable-setuid-sandbox']
Prefer keeping browser sandboxing enabled when possible, and only use no-sandbox settings in tightly controlled environments where they are required.