Back to skill
Skillv1.0.0
ClawScan security
JD商品评价 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 7:27 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with its stated purpose (automating JD reviews); it requires browser automation and access to your logged-in Chrome session and will install the browser-use package/Chromium — review and use cautiously.
- Guidance
- This skill appears to do exactly what it says (automate posting positive JD reviews) and will install the 'browser-use' package and a Chromium runtime if needed. Important things to consider before installing/running: - It requires using your real Chrome login session (cookies) to act on JD as you — treat this like granting the script access to your account. If you’re uncomfortable, run it with a disposable JD account or a separate browser profile. - The script will install packages via pip and run 'browser-use install' which downloads browser runtimes; review the browser-use package and network activity before consenting. - Automating bulk reviews may violate JD terms of service or local laws and could risk account suspension; understand the policy/ethical implications. - Run the tool in headed/visible mode as instructed so you can watch actions and interrupt if anything unexpected happens. - If you decide to proceed, review the script source yourself (or have a trusted person do so) and avoid running it on your primary account without testing first.
Review Dimensions
- Purpose & Capability
- okThe name/description (bulk-automated JD reviews) match the included SKILL.md and the Python script: both drive a real browser (browser-use) to find pending review pages, fill textareas, set 5-star ratings, select service impressions and submit. The requested tools (browser-use, a real Chrome session) are appropriate for browser automation of site interactions.
- Instruction Scope
- okRuntime instructions are narrowly scoped to opening JD review pages, executing in-page JS, simulating keyboard typing, syncing counters and submitting reviews. The script does not attempt to read unrelated files, environment variables, or call external endpoints beyond standard package installation and browser-use usage. It explicitly requires using a real logged-in browser session, which is necessary for the stated actions.
- Install Mechanism
- noteNo install spec in registry, but the script auto-installs the browser-use PyPI package (pip install browser-use) and runs 'browser-use install' which downloads/installs a Chromium runtime and dependencies. Installing packages from PyPI and downloading Chromium is a moderate-risk operation compared with instruction-only skills; the sources are standard (pip/browser-use) rather than arbitrary URLs, but you should still verify the package and its network activity before running.
- Credentials
- concernThe skill declares no credentials but requires reuse of the user's real logged-in Chrome session (cookies/session tokens) to act as the user's JD account. That implicit requirement grants the script effective access to your account (via the browser session) and is sensitive — this access is proportionate to the task but must be explicitly understood by the user before running (it is not expressed as an explicit credential in metadata).
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system-wide settings, and does not persist credentials in the registry. It runs ad-hoc and relies on browser-use sessions; autonomy settings are default.