Back to skill
Skillv1.0.0
ClawScan security
1688 Scraper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 3:57 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose of scraping 1688 product pages and saving images/JSON locally, with no requests for secrets or external control channels, though there are small bookkeeping issues you should note before installing.
- Guidance
- This skill appears to do what it claims: open a 1688 product page in a browser context, scroll to trigger lazy-loading, capture image URLs and attributes, and download images + save a JSON data package to your Desktop. Before installing: (1) confirm where the 'browser' tool runs (local machine vs remote/cloud) — running a scraper in a remote/shared environment can expose scraped data and downloaded files to others; (2) note the code uses process.env.HOME to write to ~/Desktop but the skill metadata doesn't declare that requirement — if your environment lacks HOME or has different filesystem layout, provide an explicit output path; (3) ensure the agent has curl and permission to write to the target folder; (4) consider legal/ToS and anti-scraping rules for 1688 and Alibaba domains and add rate-limiting if you will run many requests; (5) run first in a controlled sandbox or with a single test URL to verify behavior and avoid accidental mass downloads or IP blocking.
Review Dimensions
- Purpose & Capability
- noteThe name/description (scrape 1688 product pages and save images/JSON) aligns with the included code and SKILL.md: browser-driven scrolling, Performance API capture, URL cleaning, and curl-based downloads. package.json lists expected runtime requirements (browser tool, curl, desktop write). Minor mismatch: the code reads process.env.HOME to build a Desktop path but the skill's metadata does not declare any required environment variables or config paths.
- Instruction Scope
- okSKILL.md and README clearly instruct the agent to open the product URL in a browser context, deep-scroll to trigger lazy-loading, collect images and attributes, and download images to a local folder. The instructions do not attempt to read unrelated files, request unrelated credentials, or post collected data to external endpoints other than the image hosts (alicdn). They do assume the agent has a 'browser' tool and filesystem write access.
- Install Mechanism
- okNo install spec is provided (instruction-only skill with an included helper JS file). That is low-risk: nothing is automatically downloaded or written during install. The skill expects existing tools (browser, curl) rather than installing arbitrary packages or fetching code from third‑party URLs.
- Credentials
- noteThe skill does not request API keys/secrets and only interacts with public image hosts (cbu01.alicdn.com). However, it uses process.env.HOME in scraper.js to compute the Desktop path but the manifest declares no env variables — this is a small inconsistency that could cause runtime surprises if HOME is unset or if the agent's working environment differs. It also assumes write permission to the user's Desktop, which should be considered before running.
- Persistence & Privilege
- okalways is false and the skill does not request persistent platform privileges; it only writes files under a constructed local path and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with any other broad privileges.