Skillv1.0.0

ClawScan security

city-life-copilot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 9, 2026, 2:14 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions mostly match the described city-assistant features, but its installer downloads and executes third‑party code (including from an unvetted ClawHub URL), auto-installs global tooling, and it omits declaring required AMap credentials — these discrepancies increase risk and warrant caution.
Guidance: This skill implements the described city assistant, but several red flags mean you should be cautious before installing or running it: - Do NOT run scripts/install.js or any included installer without review. It runs npm -g, git clone, curl/unzip and writes into your home directory and global npm space. - The skill uses AMap (高德) APIs but does not declare where to supply the required API key. Confirm how/where you must provide AMap credentials and never paste secrets into untrusted scripts. - The installer downloads a 'web-fetch' tool from a non-standard host (ClawHub). Verify that URL and the upstream project source before allowing downloads; prefer official release pages (GitHub releases, vendor sites) or inspect archives in a sandbox. - The skill explicitly suggests bypassing anti‑scraping protections with agent-browser. Scraping protected content can violate site terms of service and may carry legal/ethical risk. - If you want to try it, first run it in an isolated environment (VM or container) and inspect network activity. Alternatively, manually install only the dependencies you trust (amap skill from a known source) and avoid automatically running install.js. What would change this assessment: an explicit install manifest that uses only vetted package sources (official releases), clear documentation and prompts for supplying AMap API keys (and no implicit credential access), or provenance for the ClawHub resource (e.g., a reputable GitHub repo or signed release). If the publisher supplies an audited release and documents required credentials and permissions, the rating could move toward benign.

Review Dimensions

Purpose & Capability: noteName/description align with the shipped files: dispatcher, grabber, templates all implement route planning, A/B mood routes, house radar and accessible routing. However, the skill clearly expects to call high‑privilege external services (AMap APIs) but does not declare any required API keys/credentials in its metadata; that omission is inconsistent with the claimed capabilities because geocoding/route APIs normally require a key.
Instruction Scope: concernSKILL.md and scripts instruct the agent to perform web scraping (including bypassing strong anti‑scraping measures) and to write HTML outputs to a fixed user workspace (~/.openclaw/workspace). The code insists on using an 'agent-browser' to bypass anti‑crawl protections for small‑red‑book (小红书) and similar sites. The workflow has automatic scanning behaviors (e.g., 'hardcore steward' mode triggers active 2km scans without explicit user confirmation). The instructions also tell the agent to install and run local tools and to save files under the user's home directory — these actions go beyond a read‑only assistant and should be made explicit to the user.
Install Mechanism: concernThere is no platform install spec but an included scripts/install.js is a full installer that executes system commands: npm install -g, 'skillhub' commands, 'npx skills add', git clone and curl/unzip fallbacks, and copies files into ~/.openclaw. It fetches code from third‑party endpoints (ModelScope is plausible, but ClawHub at https://clawhub.ai/dlutwuwei/web-anti-crawl-fetch is not a standard vetted release host). The installer performs network downloads and writes into the user's filesystem and may install global npm packages — this is higher risk and should be reviewed before running.
Credentials: concernThe skill declares no required environment variables, but its functionality depends on external services (AMap) that typically require API keys. The manifest does not request or document where to provide AMap credentials or other secrets; at runtime those credentials will still be necessary (or the skill will fail). Additionally, the installer pulls third‑party scraping tools and agent-browser which may in turn require credentials or elevated privileges; the absence of explicit credential requirements is disproportionate and understates what the user must provide to operate the skill.
Persistence & Privilege: notealways:false (no forced global enable), but the installer will modify user state: create ~/.openclaw workspaces/skills, install SkillHub globally (npm -g), and clone/copy third‑party skill code into the workspace. The skill does not set always:true or modify other skills' configs directly in the repo, but running its install script grants it the ability to change system/global state — user consent and review are needed before running.