Skillv1.0.0

ClawScan security

External Ai Integration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 5:57 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (use browser automation and Hugging Face) matches its behavior, but the SKILL.md and code require tokens, CLI tools, and browser sessions that are not declared in the skill metadata and have privacy/credential access implications.
Guidance: This skill generally does what it says (use browser automation and call Hugging Face), but it omits important metadata about required credentials and CLIs. Before installing or enabling it: - Expect it to need a Hugging Face API token (HF_TOKEN) and/or access to your 1Password via the op CLI, and to read ~/.huggingface/token if present — only provide these if you trust the skill and its source. - Browser automation requires an attached Chrome Relay tab that is already logged in; the automation will operate within that browser profile and could read page content in that tab (be careful which account/session you attach). - The skill uses subprocess/curl and the op CLI as fallbacks; ensure those binaries are available and you understand their use. - Because the skill did not declare these requirements in its metadata, treat the omission as a red flag: ask the publisher to update the metadata to list HF_TOKEN and the 1Password/op dependency, or run the code in an isolated environment (or review it manually) before granting any secrets or attaching live browser sessions. If you do not trust the source or cannot verify the code, avoid providing the HF token or connecting a logged-in browser profile.

Review Dimensions

Purpose & Capability: noteName/description (external LLM integration via Chrome Relay and Hugging Face) aligns with the implementation: browser automation functions and Hugging Face API calls are present. However, the skill metadata declares no required env vars or binaries while the instructions and code clearly require a Hugging Face token, a 1Password (op) CLI fallback, and an attached Chrome Relay session—this mismatch is unexpected and should have been declared.
Instruction Scope: concernSKILL.md and the code instruct the agent to read secrets (HF token from 1Password, env var HF_TOKEN, or ~/.huggingface/token) and to automate a logged-in browser tab. Browser automation will operate within the user's logged-in session (cookies) and can therefore access other webpage content in that tab. The instructions reference local files and the 1Password CLI, but the skill metadata does not advertise these requirements; the scope therefore extends beyond what a metadata-only review would reveal.
Install Mechanism: okThere is no install spec (instruction-only), so nothing arbitrary will be downloaded or installed by default. The code does call subprocess utilities (curl, op) as fallbacks, but no install step is performed by the skill itself.
Credentials: concernAlthough the skill reasonably needs a Hugging Face API token for HF calls, it fails to declare required credentials or primaryEnv in metadata. The code also tries to retrieve tokens via the 1Password CLI and a local token file—access to these secrets is sensitive. Reading session cookies via browser automation implies access to whatever is open in the attached browser profile. Those credential and session access patterns are proportionate to the declared functionality but should have been explicitly declared and consented to.
Persistence & Privilege: noteThe skill does not request always:true and does not modify other skills. It does write to a local memory file for failure logging (memory/YYYY-MM-DD.md), which is a limited local write. Autonomous invocation is enabled by default (normal), so if you allow the skill, it could call external models without prompting if the agent decides to—combine this with the credential/session access noted above when assessing risk.