Back to skill
Skillv1.0.3
ClawScan security
日本雅虎拍卖估价 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 9:36 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested environment variable (a SOCKS5 proxy) are coherent with its stated purpose of scraping Yahoo Auctions and aucfree to compute suggested bids.
- Guidance
- This skill appears to do what it claims: it scrapes Yahoo Auctions and aucfree using curl invoked from a Node script, and asks you to set PROXY_SOCKS5 so requests appear to come from Japan. Before installing or running: (1) only set PROXY_SOCKS5 to a proxy you trust (a malicious proxy URL could intercept traffic or, because the proxy string is interpolated into a shell command, could be abused if you set an unexpected value); (2) run the script in an isolated environment or container if you are concerned about network scraping; (3) verify you are comfortable with outbound network access to auctions.yahoo.co.jp and aucfree.com; (4) if you will pass untrusted IDs or environment values, consider reviewing or sanitizing inputs to avoid command-injection risks. Overall the skill is internally consistent and proportionate to its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description say: fetch Yahoo! Auctions and historical prices and compute suggested bids. Declared requirements (node, curl) and the single env var PROXY_SOCKS5 are consistent with needing outbound HTTP(S) access via a Japanese proxy to reach the data sources.
- Instruction Scope
- noteSKILL.md explicitly instructs running the provided Node script and setting PROXY_SOCKS5; the script only reads that env var and performs HTTP fetches of auctions and aucfree pages. The script uses child_process.execSync to call curl — expected for this type of scraper, but this is an execution-time surface to be aware of (see guidance).
- Install Mechanism
- okNo install spec or remote downloads. This is instruction-only plus a local script (estimate.mjs). Nothing is fetched or written during install, so install risk is low.
- Credentials
- okOnly PROXY_SOCKS5 is required and declared as primaryEnv. That aligns with the stated need to route requests through a Japan-based SOCKS5 proxy. No unrelated credentials or extra env vars are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges or modify other skills or configs. It runs on invocation and does not attempt to persist or escalate privileges.