ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Noon 商品搜索工具

v1.0.0

Noon 商品搜索工具。输入阿拉伯语关键词,使用 Chrome 浏览器在 noon.com/saudi-ar 搜索,返回第一页所有商品的标题、评分、评价数和价格。

0· 81·0 current·0 all-time
by@freemanwangfuhan-coder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code files implement a Noon product search (three alternative scrapers: puppeteer-based index.js and simple-search.js, and a chrome-remote-interface CDP script). That matches the stated purpose of returning titles/ratings/reviews/prices. However the SKILL.md only mentions chrome-remote-interface and requiring Chrome debugging port 9222, while the primary runtime (index.js) uses puppeteer-extra and stealth plugin; those packages are not listed in SKILL.md. Having three different scraper implementations is plausible but unexplained.
Instruction Scope
SKILL.md instructs running index.js and also tells the user to start Chrome with --remote-debugging-port=9222 (relevant to cdp-search.js). The actual index.js launches Chromium via puppeteer and does not need an externally-launched Chrome debugging port. The scripts only interact with noon.com pages (no external endpoints, no credential or file access beyond argv), but they include stealth/anti-detection code (puppeteer-extra-plugin-stealth) which is evasion-oriented — expected for scraping but worth noting.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically written to disk by an installer. SKILL.md claims 'first run will auto install dependencies' but no install script or package manifest is provided in the bundle; the code requires npm packages (puppeteer-extra, puppeteer-extra-plugin-stealth, chrome-remote-interface) that will fail if not installed. This mismatch is an inconsistency to clarify.
Credentials
The skill requests no environment variables, no credentials, and touches no config paths beyond using process.argv. That is proportionate to a simple web scraper.
Persistence & Privilege
always:false and no special persistence or modifications to other skill configs. The skill does not request elevated agent privileges.
What to consider before installing
What to consider before installing/running: 1) The code is a straightforward web scraper for noon.com and does not request secrets, but SKILL.md and the code disagree about how to run it — SKILL.md emphasizes chrome-remote-interface/remote-debugging while the main script launches Chromium with puppeteer. Ask the author to clarify required dependencies or inspect package.json (none included) and run npm install for puppeteer-extra and chrome-remote-interface in an isolated environment first. 2) The scripts use puppeteer-extra-plugin-stealth (anti-detection) — expected for scraping but may violate site terms and raise blocking/legal concerns if used aggressively. 3) There is no automatic install: running without installing npm packages will fail; don’t run as root on a host you care about — test in a sandbox/VM. 4) If you need to proceed, verify the dependencies locally, audit the files for network calls (none to external APIs are present) and run with rate limiting to avoid abusive scraping. If you want higher assurance, request the author to include a package.json and an explicit install script and to align SKILL.md with the actual runtime behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ft7gze4fshmkk4w4khsxk9d83wtgk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments