Skillv1.0.0

ClawScan security

Lightcone Browse · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 2:49 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a cloud-based browser automation tool, but the API key grants broad access to remote browsing/screenshot data and you should verify the vendor and scope of the key before use.
Guidance: This skill appears to do what it says (cloud browser automation), but it will send screenshots and page content to the remote service using the provided API key. Before installing: verify the vendor (docs.lightcone.ai) and that TZAFON_API_KEY is the correct/documented credential name; use a dedicated, least-privilege API key; avoid running this skill on pages with sensitive credentials or personal data; review the service's privacy/security policy; monitor API key usage and rotate/revoke the key if you see unexpected activity. If you need higher assurance, ask the publisher for details about what the API key can do and whether it can be scoped or rate-limited.

Review Dimensions

Purpose & Capability: okThe skill describes cloud browser automation and only requests a single API key (TZAFON_API_KEY), which is consistent with calling a third‑party browsing service. Note: the env var name (TZAFON_API_KEY) is somewhat unusual compared to the skill name (Lightcone); confirm this is the documented key name for the Lightcone service or the intended provider.
Instruction Scope: noteSKILL.md instructs the agent to create cloud browser sessions, take screenshots, and return page content — all expected for this capability. This means page HTML and screenshots will be sent to the remote service; that is expected behavior but is privacy-sensitive and could expose credentials or personal data if used on authenticated pages.
Install Mechanism: okInstruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. Low technical installation risk.
Credentials: noteOnly one environment variable (an API key) is required, which is proportionate to a cloud browsing service. However, that key likely allows creating remote machines and viewing all pages/screenshots — a high-privilege capability. Ensure the key is scoped appropriately and dedicated to non-sensitive tasks.
Persistence & Privilege: okThe skill is not marked always:true and has no special persistence or system-wide config changes. Be aware the platform default allows autonomous invocation; combined with the API key this permits the agent to invoke remote browsing without further user prompts.