Skillv0.1.1

ClawScan security

Download Anything · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 20, 2026, 6:21 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (downloading many kinds of content) but its runtime instructions reference accessing browser cookies, local configs, and insecure daemon options (aria2 RPC) that are not declared up front and broaden the risk surface — review carefully before use.
Guidance: What to consider before installing: - Functionality: The scripts do what they claim — orchestrate yt-dlp, aria2, gallery-dl, spotdl, etc. — and the install script uses standard package managers. - Local secrets/configs: The instructions repeatedly recommend using browser cookies (yt-dlp --cookies-from-browser), gallery-dl OAuth, and tool config files. These actions require access to your local browser profile and config files; only proceed if you understand and accept that. - Insecure RPC: Documentation examples show running aria2 with RPC options (listen-all / allow-origin-all). Do NOT enable aria2 JSON-RPC bound to all interfaces or without authentication on an untrusted network — it exposes a remote-control surface for downloads. - Legal & safety: The references include “shadow libraries”, cloud-drive search engines, and torrent/DDL workflows. This increases legal and malware risk depending on what you download. The skill’s purpose is broad (including infringing content); that’s a policy/legal risk you must evaluate. - Audit before running: Read the included scripts (they are plain shell) and the installer to ensure you’re comfortable with each command. Prefer running in a sandbox/VM/container or an isolated account rather than your primary workstation. - Use trusted hosts: Examples that call external services (Cobalt examples, self-hosted instances) require you to trust the service; avoid sending URLs or data to public/untrusted endpoints. - If you proceed: install packages manually rather than running the installer blindly, avoid enabling aria2 RPC without auth, and avoid providing browser cookies to untrusted processes. If you want, I can highlight the exact lines that access cookies/configs and show a safer aria2 startup example (RPC restricted to localhost with token).

Review Dimensions

Purpose & Capability: noteThe name/description (download-anything) aligns with the included scripts (yt-dlp, aria2, gallery-dl, spotdl workflows). The required environment/credentials section lists none, which is plausible for a downloader toolkit. However, the documentation and scripts explicitly rely on local browser cookies, local tool configs (e.g. ~/.config/yt-dlp/, gallery-dl oauth), and optionally running daemons — capabilities that imply access to local user secrets/configs even though no env vars/config paths are declared.
Instruction Scope: concernSKILL.md and the scripts instruct the agent to use --cookies-from-browser, read or instruct the user to export browser cookies, consult user config files, search and scrape numerous external sites (including shadow libraries and cloud-drive search engines), and contain examples for starting aria2 JSON-RPC. Those instructions explicitly expand scope beyond simple 'download from a provided URL' into reading local browser state and potentially automating interactions with third-party sites, which is broader than the metadata declares.
Install Mechanism: noteThere is no binary blob download; install-toolkit.sh uses standard package managers (brew/apt/dnf/pip/npm) which is an expected, lower-risk approach. Caveats: pip/npm global installs are unvetted by the skill and run on the host; the installer runs system package installs (sudo apt-get / dnf) where available. No opaque remote archive extraction is performed by the skill itself.
Credentials: concernThe registry declares no required secrets, but the instructions tell the agent to access browser cookies, local config files, and optional OAuth setup (gallery-dl, yt-dlp cookies-from-browser). The references also show how to enable aria2 RPC (rpc-listen-all, rpc-allow-origin-all) which, if used, could expose a local RPC port without authentication. These capabilities justify explicit disclosure of required access but the skill metadata does not declare them.
Persistence & Privilege: okalways:false and normal model invocation settings. The skill does not request permanent / forced inclusion or claim it will modify other skills or system-wide agent settings. It is an instruction/toolkit bundle that would run on demand.