Back to skill
Skillv1.0.0
ClawScan security
cbismb-harmonyos-publish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 11:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Instructions are coherent with the stated purpose: an instruction-only browser-automation skill that posts articles to cbismb.com’s HarmonyOS board and does not request unrelated credentials or install code.
- Guidance
- This skill automates posting to cbismb.com using a browser extension and your logged-in session. Before installing or invoking it: (1) confirm you trust and understand the OpenClaw Browser Relay extension because it will act in your browser and can use your session cookies to post on your behalf; (2) review any content the skill will publish to avoid leaking secrets or private data; (3) verify the target domain (https://www.cbismb.com) is correct; (4) if you prefer, run actions manually rather than granting automation control.
Review Dimensions
- Purpose & Capability
- okThe name/description (publish to cbismb.com HarmonyOS) matches the instructions (open the publish page, fill title/body, set category/tags, check privacy, click publish). No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- okSKILL.md confines actions to the target site (https://www.cbismb.com) using browser automation commands and form interactions. It does not instruct reading local files, other env vars, or sending data to third‑party endpoints.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk. It only requires the presence of the OpenClaw Browser Relay extension (documented in the doc).
- Credentials
- okNo environment variables, credentials, or config paths are requested. The skill expects the user to be logged into cbismb.com in Chrome and to have a browser extension installed, which is proportionate to a browser-automation publishing task.
- Persistence & Privilege
- okalways:false (not force-included); normal autonomous invocation is allowed by default but not problematic here. The skill does require a browser extension that will act with the user's logged-in session — typical for automation but worth user attention.