Skillv0.2.0

ClawScan security

X Reader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 8:13 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the described content‑reader features, but it transfers fetched content (URLs, audio) to several third‑party services, saves browser sessions/cookies to disk, and has a few metadata/visibility mismatches — you should review those privacy and storage behaviors before installing.
Guidance: This skill generally does what it claims, but it has several privacy and storage implications you should consider before installing: - Third‑party transmission: The skill uses external services (r.jina.ai, api.groq.com, api.fxtwitter.com, and wsrv.nl) to fetch/convert content and proxy images. Fetching/transcribing will send the target URL and/or audio to those services. If that is sensitive, do not provide GROQ_API_KEY or use those fallbacks. - Session files and credentials: The login flow saves Playwright storage_state JSON files (cookies/localStorage) under ~/.x-reader/sessions and will use them for browser fetch fallbacks. Those files contain authentication tokens; the code attempts to set 0o600 permissions but you should verify permissions and only save sessions for accounts you trust being accessed by this tool. - Optional secrets: TG_API_ID and TG_API_HASH (Telegram) and GROQ_API_KEY are only needed for those optional features. Only set them if you know why and trust the code/service. - Local subprocesses and tooling: The skill runs yt-dlp/ffmpeg and Playwright (if installed). These are normal for media transcription but will execute external binaries — install from trusted sources and run in an environment you control. - Traceability: The registry metadata didn't include homepage/source, but the SKILL.md/README reference a GitHub repo. If you plan to use this, verify the upstream repo, review recent commits, and prefer installing from a pinned commit or direct GitHub source you inspected. Recommendations: 1. Review the code (especially calls that POST to external APIs and the login/session saving code) yourself or in an isolated environment. 2. If you are concerned about data exposure, avoid supplying GROQ_API_KEY or Telegram credentials and prefer Jina/Local fallbacks (note: Jina also sends URLs to r.jina.ai). 3. Run the tool in a container or VM if you want to limit persistence and network egress. 4. Inspect and confirm file locations (INBOX_FILE, SESSION_DIR, OBSIDIAN_VAULT) and ensure they are acceptable. Manually set restrictive permissions on session files after login. 5. If you need an offline/self-hosted option, consider replacing remote services (Jina/Groq/FxTwitter/wsrv.nl) with self‑hosted components before using with sensitive data. If you want, I can highlight every place in the repository that transmits data externally or writes session files so you can inspect those calls in detail.

Review Dimensions

Purpose & Capability: noteThe code implements a universal content reader (fetchers for YouTube, Bilibili, WeChat, X/Twitter, Telegram, RSS, Xiaohongshu, etc.) which matches the skill description. Optional credentials and tools referenced (TG_API_ID/TG_API_HASH for Telegram, GROQ_API_KEY for Whisper, Playwright/yt-dlp/ffmpeg) are appropriate for the declared features. However the registry metadata lists no source/homepage while the README/SKILL.md point to a GitHub repo (https://github.com/runesleo/x-reader) — a mismatch in the package metadata/registry visibility that reduces traceability.
Instruction Scope: concernRuntime instructions and code will: fetch remote pages; upload audio to the Groq Whisper API (api.groq.com) if GROQ_API_KEY is provided; request content via Jina Reader (r.jina.ai) which sends target URLs to that service; use FxTwitter/fxtwitter.com and wsrv.nl image proxy for certain fetches; run yt-dlp/ffmpeg subprocesses; open headless/visible browsers and save Playwright storage_state JSON session files (cookies/localStorage) under ~/.x-reader/sessions; and read/write an inbox JSON and optionally write into an Obsidian vault. These behaviors involve transmitting user-supplied content and URLs to third parties and storing sensitive session cookies on disk — all of which are within the skill's stated purpose but are important privacy/security considerations that the SKILL.md does not strongly call out as risks.
Install Mechanism: noteThis is instruction-only in the registry (no automated install spec), but the package includes a full Python implementation with optional dependencies: Playwright, Telethon, yt-dlp, ffmpeg, and calls subprocesses. There is no arbitrary remote download/install step in the registry spec, which lowers supply‑chain risk, but the skill expects you to install third‑party tools that will be executed locally.
Credentials: concernThe skill itself does not declare required env vars in the registry, but the code and README reference several sensitive environment variables (TG_API_ID, TG_API_HASH, TG_SESSION_PATH, GROQ_API_KEY). Those are logically required only for the corresponding optional features (Telegram fetch, Whisper transcription), so they are proportionate to functionality — however these secrets enable network access (Telethon and Groq API) and the skill also saves session files containing cookies. Additionally, some fetch paths proxy images through wsrv.nl and use r.jina.ai and fxtwitter.com; using those services will reveal the target URLs/content to third parties. The skill should explicitly warn users that content and URLs may be transmitted to these external services before they provide keys or save sessions.
Persistence & Privilege: noteThe skill does not request 'always: true' and it does not modify other skills. It will create and write files (inbox JSON, optional Obsidian file, and Playwright storage_state session files under ~/.x-reader/sessions). Saving browser sessions (cookies/localStorage) and inbox files is normal for this kind of tool but grants persistent access to authentication tokens if users save sessions — the code makes an effort to set file permissions (0o600) but users should verify file locations and permissions.