Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Web Auto Analyzer
v1.1.1Automatically analyze websites for performance metrics and audit issues using Lighthouse.
⭐ 0· 105·0 current·0 all-time
byjiahaoli@lj-hao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included files: the package contains a Node script (automation-script.js), package.json, and documentation for running Lighthouse/Chrome. However the registry metadata earlier reported no required binaries/env, while SKILL.md metadata explicitly requires node, npm and npm packages (lighthouse, chrome-launcher). That mismatch is an incoherence you should confirm with the publisher.
Instruction Scope
SKILL.md instructs running the local Node script and saving JSON/HTML reports to ./results; it warns about authenticated URLs and says to ask before saving to memory. The runtime instructions only reference local Node/npm, Lighthouse, and Chrome; they do not ask to read unrelated host files or environment variables. Note: running an audit fetches the target URL (normal) and may trigger third-party trackers on the audited site — avoid auditing authenticated/internal URLs unless you understand the implications.
Install Mechanism
No install spec is included (instruction-only style) and the package files are provided directly. package.json lists lighthouse and chrome-launcher as dependencies — expected for purpose. There are no downloads from obscure URLs in the install docs; example Chrome install uses Google-hosted deb, and Puppeteer is suggested as an option. Overall install risk is typical for a Node-based Lighthouse tool.
Credentials
The skill requests no secrets or environment variables in the registry metadata, which is appropriate. But SKILL.md metadata requires node/npm and npm packages — the registry-level 'required binaries: none' contradicts that. Also the skill will access the network to fetch audited URLs (expected) and writes reports to disk. Confirm there are no hidden env/credential reads in the rest of the code (some files truncated).
Persistence & Privilege
always is false and user-invocable is true. Autonomous invocation is allowed (platform default) but not combined here with broad credential access. SKILL.md states the skill will ask before saving to memory; verify automation-script.js actually prompts or requires confirmation before persisting any user-tracking memory.
What to consider before installing
What to check before installing or running this skill:
1. Confirm metadata mismatch: the registry said no required binaries, but SKILL.md expects node/npm and Lighthouse packages — ensure your environment meets the SKILL.md prerequisites.
2. Inspect automation-script.js for any code that writes out sensitive files or auto-sends data off-host (search for network calls, fetch/http libraries, or hard-coded endpoints). The provided snippet looks normal (lighthouse + chrome-launcher) but some parts were truncated; verify saveResults and memory-write behavior to ensure the skill asks before saving any data.
3. Run it in a safe environment first (local container or VM) and use non-authenticated public URLs to validate behavior. Avoid running against internal or authenticated endpoints until you’ve reviewed the code and confirmed you control credentials.
4. Run npm audit on the dependencies and review package.json versions. Keep Node up-to-date and use a recent Chrome/Chromium.
5. If you need stronger assurance, validate the GitHub repository and publisher identity (homepage is github.com/user/..., which could be a placeholder). Prefer installing from a verified repo or your own copy of the script.
I flagged this skill as suspicious (not clearly malicious) because of the metadata inconsistency and the truncated files that prevent full verification; resolving those points would raise confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk97emxg52ctf5wrxtbb9cj583s836sa5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.