Skillv1.0.0

ClawScan security

RiskShield案件审批自动化 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 9:21 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions mostly match an automated Playwright-based approver for riskshield.dcsuat.com, but there are multiple coherence and secret-handling issues (hardcoded credentials, included token.json, missing install declaration, many code files despite 'instruction-only' metadata) that warrant caution before installing or running it.
Guidance: Things to consider before installing or running this skill: - Inspect secrets: The SKILL.md and multiple scripts include hard-coded credentials (usernames like 'alan.zhang' and a password shown) and the package contains token.json. Do not run these scripts with real or privileged accounts. Remove or rotate any baked-in credentials and delete token.json if it contains real tokens. - Expect npm installs: The README tells you to run npm install/playwright; that will pull code from npm (playwright). The registry metadata did not list an install step — treat that as a mismatch. Run installs in an isolated environment (container or VM) if you must test. - Audit network activity: Scripts make HTTPS requests to riskshield.dcsuat.com and perform actions (approve/refuse). Only run in a test/staging environment where automatic approvals are acceptable. Running against production could perform destructive or unauthorized actions. - Review all bundled files: The skill ships 100+ scripts and helper shells; some call an 'agent-browser' CLI. Verify each script you plan to run; don't execute arbitrary .js/.sh files blindly. - Secrets handling: Prefer passing credentials via environment variables or secure credential stores rather than hard-coding. If you need to use this skill, replace embedded credentials with a safe configuration mechanism and ensure token.json is stored securely or regenerated. - If uncertain, run in a sandbox: Use an isolated container or disposable VM and a test account on the target system. If you want a safer alternative, request a minimal skill that uses explicit credentials (declared in metadata) and a clear install spec.
Findings: [base64-block] expected: A base64-encoded redirect parameter appears in SKILL.md and many scripts (used in login redirect URLs). This is expected for Playwright/browser automation but the pre-scan flagged it as a potential prompt-injection pattern; in this context it looks like an encoded redirect rather than an attempt to subvert evaluation.

Review Dimensions

Purpose & Capability: noteName/description (RiskShield approval automation) match the included scripts: many Playwright and shell helper scripts that log in and click '审批' to Pass/Refuse cases on riskshield.dcsuat.com. However metadata claimed 'instruction-only' / no install spec while the package includes 100+ executable scripts and a package.json — that mismatch is unexpected. The SKILL.md and many scripts also embed hard-coded credentials (password shown) and reference a local token.json; those are not declared as required credentials.
Instruction Scope: concernRuntime instructions ask you to npm install Playwright and run node scripts in ~/.openclaw/workspace/skills/riskshield/scripts. The scripts will: perform logins using embedded credentials, call site APIs (HTTPS requests), read/write token.json, save screenshots/logs to /tmp, and some bash helpers invoke an 'agent-browser' CLI. The SKILL.md does not instruct reading unrelated system files, but it does instruct installing packages and executing many bundled scripts — giving broad runtime discretion. The presence of embedded credentials and token.json increases the risk of unintended credential reuse/exposure.
Install Mechanism: concernNo formal install spec is declared, but SKILL.md directs npm install playwright and npx playwright install (which will download packages from npm). The code bundle itself is shipped with the skill (many JS and shell scripts) and will be executed locally. There are no downloads from unknown hosts in the provided files, but the implicit npm install step is not surfaced in registry metadata (mismatch).
Credentials: concernThe skill declares no required env vars or primary credential, yet the SKILL.md and multiple scripts include hard-coded usernames and the password 'ZIdongshenpi1.' and reference token.json (included in the package). That is inconsistent: a networked automation tool that needs login tokens should declare credential handling rather than embedding secrets. token.json may contain session tokens — shipping credentials/tokens in the skill package is a secrecy risk. The number of files and potential to write logs/screenshots to /tmp also increases data footprint.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills. It stores/reads token.json inside its own workspace and writes temporary logs/screenshots under /tmp — normal for a local automation tool. Autonomous invocation is allowed (platform default) but is not combined with other high privileges in metadata.