Skillv0.0.0

ClawScan security

5gc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 3:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code matches its stated purpose (Playwright automation of a 5GC web dashboard) but the package contains baked-in login/session artifacts and other conveniences that are disproportionate and risky — proceed only after inspection and cleanup.
Guidance: This skill does what it says (browser automation of a 5GC web UI) but the package bundles active login/session credentials and a storageState JSON that contains cookies and an auth token for the target dashboard. Those embedded secrets are the main red flag: they can be reused to access or modify the dashboard and could leak if the skill is shared. Before installing or running: 1) Inspect and remove the .sessions/ storageState file and any hard-coded credentials in the scripts; 2) Replace them with your own credentials or a prompt-based login flow; 3) Run the code in an isolated environment/lab network (don’t run it from a machine with access to production networks); 4) Rotate/change any credentials that came with the bundle or that were used during tests; 5) If you must accept the bundled credentials for testing, treat them as compromised and do not use in production. If you want help locating the exact files/lines to change (session JSON, CONFIG.credentials in scripts), provide permission and I can point them out.
Findings: [base64-block] unexpected: The pre-scan flagged a base64-like block in SKILL.md/content. Base64 blocks in skill instructions are often associated with prompt-injection attempts or embedded opaque payloads; here the bundle also contains storageState tokens (base64-looking fields) and that likely triggered the rule. This is not necessary for describing runtime behavior and is unexpected.

Review Dimensions

Purpose & Capability: noteThe name/description (5GC web dashboard automation) aligns with the provided scripts: many Playwright-based add/edit scripts and a CLI wrapper implement the claimed features. However, the bundle embeds a default target URL and login credentials/session storage for the dashboard (https://192.168.3.89, dotouch@dotouch.com.cn/dotouch and a storageState JSON). Including active credentials/session tokens in the shipped package is not necessary for the stated functionality and is disproportionate.
Instruction Scope: concernSKILL.md and scripts instruct the agent to run local Node.js/Playwright scripts against a web dashboard, reuse a .sessions/ storageState file, and perform bulk edits that can change network elements. The runtime instructions explicitly reuse and persist login/session state (.sessions/ directory) and include hard-coded credentials; this increases the risk of unintended access or credential leakage. Instructions otherwise stick to the dashboard domain and local test artifacts and do not appear to request unrelated system data, but the session reuse behavior broadens scope.
Install Mechanism: noteThere is no remote install/download; the skill is instruction + many local JS scripts. It requires Node.js and Playwright (documented), which is expected for browser automation. No external arbitrary download URLs or archive extraction were used in the install step, lowering install risk.
Credentials: concernThe skill declares no required environment variables, but the code includes embedded credentials (email/password) and a storageState JSON with cookies/localStorage auth tokens for the dashboard. Shipping active credentials/session tokens inside the skill bundle is disproportionate and dangerous: anyone with the skill can reuse those tokens to access the target dashboard or exfiltrate data. The scripts also accept an arbitrary --url so they could be pointed at other hosts, which is functionally necessary but increases abuse potential if credentials/session are reused.
Persistence & Privilege: notealways is false and model invocation is normal. The skill persists its own session files under its .sessions/ folder and writes test_results locally. It does not appear to modify other skills or global agent settings. Persisting session state inside the skill directory is expected for convenience but is a persistence risk because those files contain sensitive tokens.