ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

santanna-pisa-monitor-skill

v1.0.0

Monitor job postings, admissions, courses, and research opportunities from Scuola Superiore Sant'Anna di Pisa

0· 32·0 current·0 all-time
byFabio Baroni@fabiobaroni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: it scrapes public Sant'Anna Pisa pages for jobs, courses, and deadlines. However, the SKILL.md explicitly says it uses 'browser automation' and expects scheduled/delta checks but the skill declares no required binaries, runtime tools, or storage mechanisms — a minor mismatch between claimed method and declared requirements.
!
Instruction Scope
Instructions tell the agent to navigate specific site pages, scroll, and extract structured fields (publication date, ID, deadlines, PDFs, etc.). They also describe scheduled monitoring and 'report only what's changed since last check' (implying persistent storage). The instructions do not reference any external endpoints or secret access. The concern is the implicit requirements (a browser automation runtime and a place to store previous-run state) are not specified, granting the agent freedom to choose any mechanism — this ambiguity increases risk and operational surprise.
Install Mechanism
This is an instruction-only skill with no install spec or code files, which is the lowest-risk install pattern. Nothing will be written to disk by a packaged installer.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate to its stated purpose (scraping a public website).
!
Persistence & Privilege
The README and SKILL.md discuss scheduled recurring checks and reporting only changes since the last run, implying persistent storage of previous results. The skill does not request explicit config/storage paths or explain how state is persisted, and always:false (not force-installed). This mismatch may lead the agent to use platform-global storage or other unexpected locations — clarify where state lives and retention behavior.
What to consider before installing
This skill appears to do what it says (monitor public pages), but it relies on browser automation and persistent state without declaring how those are provided. Before installing, ask the author or maintainer: (1) which browser automation tool/runtime is expected (e.g., Playwright, Puppeteer, headless Chrome, remote browser API) and whether your agent environment has that binary/service available; (2) how and where the skill will store 'previous run' data (agent memory, a config file, external storage) and how long it is retained; (3) whether the skill respects robots.txt, rate limits, and site terms of service; and (4) if you plan to schedule recurring checks, confirm resource and bandwidth implications. If those answers are acceptable (and the platform provides a safe browser runtime and storage), the skill is reasonable. If you cannot confirm storage or browser/runtime details, proceed cautiously — ambiguity can lead to unexpected network activity or use of platform-wide storage.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fbfgn5crec500qh6azecjax83zvca

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏫 Clawdis

Comments