Trending Skills
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do its stated job of fetching public skills.sh rankings, but it relies on local browser/package setup and should be installed with normal dependency caution.
Before installing, expect to add Playwright/Chromium and Python dependencies; use a virtual environment or container if possible, keep the browser runtime updated, and treat any fetched skill descriptions as untrusted web content rather than instructions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill may require adding Python packages, a browser runtime, and system libraries.
The skill asks for unpinned package installation and a Chromium/system dependency install. This is expected for Playwright-based scraping, but users should understand it modifies the local Python/browser environment.
pip install playwright playwright install chromium --with-deps
Install in a virtual environment or other contained workspace, and review/pin dependency versions if reproducibility matters.
If the visited page or browser were compromised, reduced sandboxing could increase local exposure compared with default browser isolation.
The scraper launches Chromium with sandboxing disabled and an automation-hiding flag while visiting an external site. The browser use is purpose-aligned, but the launch options reduce containment.
'--no-sandbox', '--disable-setuid-sandbox', '--disable-blink-features=AutomationControlled'
Prefer default sandboxing when possible, keep Playwright/Chromium updated, and run the skill in a low-privilege or contained environment.
A malicious or misleading skill description on the source site could try to influence the agent or user if treated as trusted instructions.
The skill formats fetched skill descriptions and rule text for output/analysis. That remote content could contain instruction-like text, so it should remain informational.
lines.append(detail.get("when_to_use"))
...
lines.append(f" - {rule.get('file')}: {rule.get('desc')}")Treat fetched descriptions and rules as untrusted web content; summarize or quote them without following any embedded instructions.
This does not show harmful behavior, but it slightly reduces confidence in the package’s provenance and maintenance hygiene.
The package header describes an unrelated AI Daily/smol.ai/Claude project rather than the Trending Skills functionality, suggesting copied or stale project metadata.
AI Daily - AI资讯日报自动生成器 自动从 smol.ai 获取 AI 资讯,通过 Claude 分析分类,生成精美 HTML 页面
The publisher should update stale metadata; users who require strong provenance should verify the source before relying on it.