Skillv1.0.2

ClawScan security

Scrapling Web Fetch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 8, 2026, 6:37 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions are coherent with its stated purpose (webpage-to-markdown extraction), but it depends on an external Python package named 'scrapling' (installed via pip if missing) whose behaviour/hosting is not described — this dependency and the suggestion to pip-install third-party packages warrant caution.
Guidance: This skill appears to do what it says: fetch pages, extract body text, convert to Markdown, and clean WeChat noise. Before installing or running it, review the PyPI package 'scrapling' (and its homepage/source) because the script depends on it; a malicious or overly-permissive package could perform network calls or execute code. Run pip installs in a virtualenv or sandbox, inspect installed package source, and avoid passing sensitive local file paths to --batch or --selectors (the script will read those files). If you need stronger assurance, ask for the 'scrapling' package source or use an alternative extractor implemented with well-known libraries (requests + readability / newspaper / browser automation) whose behavior you can audit.

Purpose & Capability: okName/description match the code and runtime instructions: the script fetches pages, selects likely article containers, converts to Markdown, cleans WeChat noise, supports batch mode and site overrides. No unrelated credentials, binaries, or paths are required.
Instruction Scope: okSKILL.md instructs running the included Python script and describes inputs/outputs. The script only reads files explicitly passed by the user (--batch, --selectors) and fetches the provided URLs. It does not attempt to read arbitrary system files or environment variables.
Install Mechanism: noteThere is no install spec (instruction-only), which is low-risk. However the skill recommends installing two PyPI packages (scrapling, html2text) via pip. Installing unknown third-party packages can execute arbitrary code at install/run time; the package 'scrapling' is not further documented here, so evaluate that package before installing.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The script only reads user-supplied batch or selectors files and writes output to stdout/stderr as expected.
Persistence & Privilege: okThe skill does not request persistent or privileged presence (always:false). It does not modify other skills or system-wide configuration.