Skillv1.0.2

ClawScan security

Youxinpai Reconciliation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 25, 2026, 6:30 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (editing a local repo config, running a unit test, and automating internal web UI actions) broadly matches its stated purpose but the package metadata omits required local config access and the runtime instructions ask for high-privilege local changes — this mismatch and the file-modification steps warrant caution.
Guidance: This skill will (a) open internal web pages (https://dp.58corp.com/...), (b) edit a local repository file at an absolute path (/Users/a58/Desktop/code/yxp_oms_web/src/.../scf.config), (c) change the service host to a specific IP, (d) run a unit test, and (e) later restore the original config. The package metadata did not declare these config-path or file-write requirements — that's an inconsistency. Before installing or running: 1) only use this in a trusted, non-production environment; back up the referenced repo/config and confirm the absolute path is correct for your machine; 2) inspect scripts/run_tasks.js fully to confirm it does only the DOM automation you expect and does not exfiltrate data or call external endpoints; 3) prefer to adapt SKILL.md to use relative or configurable paths (do not blindly follow the hard-coded /Users/a58 path); 4) ensure you have permission to run local tests and edit the config (and review the intended host change to 10.192.12.236); 5) if you cannot verify the author or code, do not grant this skill access to your local filesystem or internal sites. These inconsistencies and the file-modification steps are why I classify it as suspicious rather than benign.

Review Dimensions

Purpose & Capability: concernName/description, SKILL.md, and scripts indicate the skill is meant to trigger internal data-warehouse tasks and then run an SQL check—these capabilities are coherent. However the metadata claims no required config paths or credentials while the SKILL.md explicitly requires read/write access to an absolute local path (/Users/a58/Desktop/code/yxp_oms_web) and to modify a config file and run a local unit test. The metadata omission is an incoherence and the absolute hard-coded path is brittle and potentially dangerous if followed verbatim.
Instruction Scope: concernSKILL.md gives precise runtime instructions that go beyond browser automation: it requires editing a local config file, changing a service host, running a specific unit test, and later restoring local config. Those are high-impact operations (file writes, test execution). The instructions are prescriptive and not vague, but they assume the agent has local filesystem and test-run privileges — this scope is significant and should be explicit in metadata and access controls.
Install Mechanism: okThere is no install spec (instruction-only plus a JS helper file). No packages or remote downloads are required, which keeps installation risk low.
Credentials: concernThe skill requests no environment variables or declared config paths in metadata, yet the instructions require access to a specific local project path and modifying its config (yxpbuyerservice.host). Requesting filesystem write and test-execution capability is a significant privilege; the lack of declared required config paths/credentials is an inconsistency and provides insufficient transparency about needed access.
Persistence & Privilege: okalways:false and no evidence the skill requests permanent platform-level privileges. The skill does instruct making and later restoring a local config change, but it doesn't request to persist or alter agent-wide settings. Autonomous invocation is allowed by default (not flagged on its own).