Skillv0.1.1

ClawScan security

X Article Reader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 2:28 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with its stated purpose: it uses a local Playwright/Chromium browser to fetch X article text and macOS 'say' for TTS, and it stores a local browser session for login—nothing appears to request unrelated credentials or contact unexpected endpoints.
Guidance: This skill appears to do what it says, but please consider: (1) It requires pip install patchright and will download Chromium (~170MB) — only do this if you trust the source. (2) You must log into X in the opened browser; the session cookies are saved in <skill_dir>/data/browser_state and are sensitive—store or delete them if you have concerns. (3) It uses macOS 'say', so it’s macOS-only. (4) If you want extra caution, inspect the two included Python scripts yourself (they're small and readable) or run them in an isolated environment/user account. If you don't trust storing X session tokens locally, avoid running auth_setup.py.

Review Dimensions

Purpose & Capability: okName/description match the actual behavior: scripts open X article pages with a local headless Chromium (via patchright/playwright), extract title/body, and use macOS 'say' to speak or save audio. The need to perform a browser login and to download a local Chromium runtime is reasonable for accessing X articles that require authentication.
Instruction Scope: okSKILL.md and the two Python scripts restrict actions to the stated task: launching a browser, navigating to x.com, extracting article text, saving a local storage_state file, and invoking macOS TTS. The code does not attempt to read unrelated system files, environment variables, or post data to third‑party endpoints. It does persist browser storage (cookies/session) to the skill's data directory as documented.
Install Mechanism: noteThere is no formal install spec; SKILL.md asks you to pip install patchright and run 'python3 -m patchright install chromium' which will download Chromium into the user's cache (~170MB). This is expected for a Playwright-based local browser workflow but does involve fetching runtime binaries from the internet and installing Python packages from PyPI.
Credentials: noteThe skill requests no environment variables or external credentials. It does require you to log into your X account in a browser and stores the session (storage_state) under <skill_dir>/data/browser_state. That storage will contain session cookies/token material for X—this is necessary for the stated purpose but is sensitive data the user should protect.
Persistence & Privilege: okNo elevated privileges requested: always:false, user-invocable true, no modifications of other skills or system-wide configs. The skill creates and uses its own data directory under the skill folder only.