Skillv1.1.7

ClawScan security

Deskbird-Automator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 6:43 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions broadly match a Deskbird automation helper, but there are notable mismatches and sensitive-data handling steps (DevTools header paste → import into a local .env) that are not fully declared or constrained — review before use.
Guidance: This skill appears to be a legitimate Deskbird automation helper, but it asks you to paste full browser request headers (Authorization, Cookie, CSRF tokens) into chat so the tool can import them and save them to a local .env. Before installing or running: 1) Understand that pasting these headers gives the tool full access to your Deskbird session — only do this from a private, trusted chat and preferably only with short-lived tokens. 2) The registry metadata does not declare the DESKBIRD_* env vars the tool uses; expect to manage a .env in the skill folder with sensitive values. 3) If you need Telegram notifications, ask the author how Telegram credentials are provided and where messages are sent; the skill does not declare Telegram credentials. 4) Consider running the skill in an isolated environment (throwaway repo, container, or VM) and inspect the full scripts (deskbird_tool.py) before importing any tokens. 5) Prefer the Firebase refresh-token flow over pasting long-lived session cookies, and avoid pasting tokens in public or group chats. If you want higher assurance, request from the publisher: (a) an explicit list of required env vars, (b) a description of any outbound network endpoints beyond api.deskbird.com, and (c) confirmation that the skill never transmits captured tokens to third-party hosts.

Review Dimensions

Purpose & Capability: noteThe skill is presented as a Deskbird automation helper (Cron + Telegram notifications) and includes a local CLI and a large Python helper that replays browser requests. That capability is coherent with the stated purpose. However, the registry metadata declares no required environment variables or credentials while SKILL.md and the scripts expect/encourage several DESKBIRD_* env variables (DESKBIRD_FIREBASE_API_KEY, DESKBIRD_FIREBASE_REFRESH_TOKEN, DESKBIRD_AUTHORIZATION, DESKBIRD_COOKIE, etc.). The description mentions Telegram-based control/notifications but no Telegram credentials or delivery mechanism are declared, creating an incomplete mapping between claimed functionality and declared requirements.
Instruction Scope: concernSKILL.md explicitly instructs the agent/operator to collect full request headers from the browser DevTools (Authorization, Cookie, X-CSRF-Token, etc.) and paste them into Telegram so the tool can import them via auth-import. The tool then persists these values into a local .env. Collecting and importing full session headers is required for the task but is high-risk and the instructions give broad latitude (e.g., 'paste header block or token') without stricter constraints. The runtime instructions also allow fallback to 'auth-capture' and instruct frequent file reads/writes (.env) and replaying of HTTP requests — all of which are within the skill's purpose but involve sensitive credential handling that is not tightly scoped.
Install Mechanism: noteThere is no install spec (instruction-only), which minimizes automated install risk. The repository includes Python scripts that require installing dependencies (requests, playwright, python-dotenv) and running 'python -m playwright install chromium' per SKILL.md. Requiring Playwright is plausible for an auth-capture flow but increases the local footprint and complexity. No third-party binary downloads from untrusted URLs are present in the manifest.
Credentials: concernThe skill manifest declares no required env vars, yet the code and documentation expect many DESKBIRD_* variables and offer persistent storage of DESKBIRD_FIREBASE_API_KEY and DESKBIRD_FIREBASE_REFRESH_TOKEN in the skill .env. The SKILL.md recommends pasting highly sensitive headers into Telegram which are then imported and stored locally. The number and sensitivity of env variables used (authorization tokens, cookies, refresh tokens) are high relative to what the registry metadata declares, and there is no explicit declaration of where Telegram credentials live or who receives the pasted tokens, making the credential model unclear.
Persistence & Privilege: noteThe tool intentionally writes and updates a skill-scoped .env file and uses dotenv.set_key to persist auth values — this is expected for long-lived refresh tokens. always is false, and the skill does not appear to modify other skills or global agent configuration. However, persistent storage of session cookies/headers on disk is a material privilege (sensitive data at rest) that users should be aware of.