ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Web Perf

v1.0.0

Analyzes web performance using Chrome DevTools MCP. Measures Core Web Vitals (FCP, LCP, TBT, CLS, Speed Index), identifies render-blocking resources, network dependency chains, layout shifts, caching issues, and accessibility gaps. Use when asked to audit, profile, debug, or optimize page load performance, Lighthouse scores, or site speed.

2· 4.6k·28 current·29 all-time
by@elithrar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (web performance audit, Core Web Vitals, network and a11y checks) matches the SKILL.md workflow and the MCP tool calls (navigate_page, performance_start_trace, performance_analyze_insight, list_network_requests, take_snapshot). The actions requested are appropriate for the stated purpose.
Instruction Scope
The instructions stay focused on auditing and (optionally) inspecting a codebase. They explicitly tell the agent to query the MCP server and to scan the local repo for build/config files when codebase access is available — this is appropriate for a code audit but does involve reading project files (expected). No instructions request unrelated system secrets or external exfiltration.
Install Mechanism
There is no formal install spec, but the SKILL.md recommends adding an MCP config that runs `npx -y chrome-devtools-mcp@latest`. That implicitly requires node/npx and will fetch/run code from the public npm registry. This is a reasonable runtime step for MCP usage but is not declared in the skill metadata and carries the usual risk of running third‑party npm packages.
Credentials
The skill declares no required environment variables or credentials (appropriate). However, it implicitly requires local platform dependencies (node/npx, a Chrome/Chromium accessible to MCP) which are not listed. No sensitive credentials are requested.
Persistence & Privilege
The skill is instruction-only, has no install spec that writes files, and does not request 'always: true' or other elevated/persistent privileges. It does not ask to modify other skills or global agent settings.
Scan Findings in Context
[no_regex_findings] expected: This skill contains no code files (instruction-only), so the regex-based scanner had nothing to analyze — that is expected for an instruction-only MCP workflow.
Assessment
This skill is coherent for auditing site performance, but review a few practical points before installing: 1) The SKILL.md asks you to run an MCP helper via `npx chrome-devtools-mcp@latest`; that will download and execute code from npm — inspect that package/source first and only run it in an environment you trust. 2) The instructions implicitly require node/npx and a Chrome/Chromium reachable by the MCP server; ensure those are installed and isolated from sensitive data. 3) If you plan to use Phase 5 (codebase analysis), the agent will access your repository files — only allow that on repos you control or where you’re comfortable sharing code. 4) No secrets or environment variables are requested by the skill, which is good. If you want higher assurance, ask the publisher for the MCP helper’s repository and a signed release, or run the MCP helper in an isolated container/VM before using this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk972g5teq9x1pnfhynry0wh1e17yq3ek

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments