Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (search Mango TV and open playback pages) aligns with the included scripts. The script requires only Node and makes HTTPS calls to Mango TV search API (mobileso.bz.mgtv.com) and spawns a platform-specific command to open the system browser — all expected for this functionality.
Instruction Scope
SKILL.md and the scripts instruct running node scripts/search-mgtv.js with --query or --direct-url; the runtime code only performs HTTP GETs to the Mango TV API, selects a URL, and opens the browser (or prints a link in headless environments). No unrelated files, credentials, or external endpoints are accessed. Minor docs drift: some documentation mentions an optional BROWSER_COMMAND env var and suggests installing Playwright for automation, but the shipped main script does not read BROWSER_COMMAND nor depends on Playwright in package.json.
Install Mechanism
There is no automated install spec (instruction-only install). The package includes code files and a package.json but no declared dependencies. README/USAGE suggest 'npm install playwright' for advanced automation — this is optional and not required by the main script; installing Playwright would download large browser binaries (as the CHANGELOG correctly noted they removed a playwright dependency).
Credentials
The skill declares no required environment variables or credentials. The script does read common environment indicators (HEADLESS, CI, DISPLAY, ELECTRON_RUN_AS_NODE) to decide whether to try to open a browser or just print a link — this is proportional to the stated behavior and not sensitive. No secrets or unrelated env vars are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide configuration, and does not persist credentials. It spawns a short-lived process to open the browser and exits — no elevated or persistent privileges requested.
Assessment
This skill appears to do exactly what it says: it queries Mango TV's public search API and opens the resulting page in your system browser (or prints a link if running in headless/CI). It requires Node and outbound HTTPS access but asks for no secrets. Notes before installing: 1) documentation mentions Playwright and an optional BROWSER_COMMAND, but the main script does not depend on Playwright nor read BROWSER_COMMAND — do not install heavy dependencies (like Playwright) unless you need the advanced automation features; 2) review the small scripts yourself (they are included) before running code from an unknown source; 3) the script will spawn platform commands (open/xdg-open/cmd start) which will open browser windows if run locally — avoid running it on servers where you don't want GUI operations. Overall coherent and proportionate to its purpose.scripts/search-mgtv.js:224
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk975egq928w21a1zwcvpdny46584x9c0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📺 Clawdis
Binsnode