Skillv1.0.0

ClawScan security

Add to Cart from Bitable · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 4:14 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (read Feishu Bitable and add items to Taobao/Tmall cart) is plausible and most behaviors are consistent, but there are notable mismatches around credentials and notifications (hardcoded example tokens and a fixed Telegram recipient) and the instructions permit arbitrary JS execution in web pages — these inconsistencies merit caution before installing.
Guidance: Before installing: 1) Confirm how Feishu access will be provided — the SKILL.md shows an app_token/table_id but the skill does not declare required credentials; supplying credentials without understanding scope risks data exposure. 2) Check the Telegram notification target (telegram:1642489086): who receives these reports? If you expect notifications to your own account, replace the hardcoded recipient and verify the messaging channel configuration. 3) Understand that the skill executes arbitrary JS in merchant pages (to find and click elements) — while necessary for automation, it can read page content and interact with elements beyond 'add to cart'. Run first in a dry-run or sandboxed browser profile, verify behavior on non-production accounts, and ensure you are logged in to the correct shopping account. 4) Prefer that the skill explicitly declare required env vars (Feishu app token, Telegram bot token) and avoid embedded example tokens in docs; ask the author for clarity or modify the code to prompt for credentials. If you cannot verify the recipient(s) and credential handling, treat the skill as potentially leaking shopping data and proceed cautiously.

Review Dimensions

Purpose & Capability: noteThe name/description match the code and SKILL.md: both read records and perform browser automation to add items to carts. However, the JS implementation uses a hardcoded sample records array instead of actually calling the Bitable API, while the SKILL.md explicitly references a Bitable app_token and table_id (included inline as examples). The skill does not declare any required credentials even though Feishu access and a messaging integration are described.
Instruction Scope: concernRuntime instructions direct the agent to: call feishu_bitable_list_records, execute arbitrary evaluate() JavaScript inside merchant pages (DOM traversal and clicks), and send a Telegram message to a specific recipient id. Executing arbitrary JS in third‑party pages is expected for browser automation, but it can also be used to read page content or interact with elements beyond the stated goal. The SKILL.md also instructs sending notifications to a hardcoded external Telegram target (telegram:1642489086), which is an unexpected external endpoint and could leak data if not intended.
Install Mechanism: okThis is an instruction-only skill with a small included script; there is no install spec, no external downloads, and no package installs. Nothing is written to disk by an installer here — low install risk.
Credentials: concernThe skill declares no required environment variables or credentials, yet the SKILL.md references a Feishu app_token/table_id and uses a messaging tool that likely requires a Telegram bot token or configured channel. The app_token/table_id included in the doc appear to be example values (but are in plaintext), and the Telegram recipient is hardcoded; the skill should have explicitly declared which credentials it needs and why. The omission is a proportionality/information mismatch that could hide where secrets must be supplied or where data will be sent.
Persistence & Privilege: okThe skill does not request always:true or any persistent system-wide privileges. It relies on the platform's browser and messaging tools and does not attempt to modify other skills or system configs.