Back to skill
Skillv0.1.0
ClawScan security
Windows Browser Ops · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 7, 2026, 3:09 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions ask an agent to run PowerShell scripts that access screenshots and Downloads and to upload evidence, but the package does not include the referenced scripts and does not declare the sensitive filesystem/network access it requires — this mismatch is concerning.
- Guidance
- Do not install or run this skill until you confirm the missing pieces and audit them: 1) The SKILL.md references scripts (scripts/*.ps1) that are not included — ask the publisher to provide the exact scripts or include them in the package so you can review them. 2) Understand that the skill will request permission to run PowerShell on a Desktop node, take screenshots, read the Downloads folder, and upload files (Discord mentioned). Those are sensitive actions — only allow on a fully trusted, isolated test machine or VM. 3) Never accept global execution policy changes (Set-ExecutionPolicy) without reviewing the script contents; prefer executing signed scripts or running with the least privileges required. 4) If you must use it, require the publisher to: include all scripts, show full script source, document exactly where uploads go (Discord webhook/channel IDs or other endpoints), and provide a least-privilege mode (read-only, screenshot-only) before enabling download/exfiltration features. 5) If you cannot obtain the scripts for review, treat the skill as unsafe and decline to enable Desktop approval for it.
Review Dimensions
- Purpose & Capability
- concernThe declared purpose (remote control of Edge/Chrome on a Windows Desktop node for navigation, interaction, screenshotting and packaging downloads) is plausible. However the SKILL.md repeatedly references local PowerShell scripts (scripts/*.ps1) that are not included in the skill bundle. The skill also assumes the presence of an approved Desktop node and ability to run tools.exec node=Desktop; the registry metadata does not declare these runtime dependencies or any required config paths. Referencing absent scripts and external runtime assumptions without documenting them is an incoherence.
- Instruction Scope
- concernRuntime instructions tell the agent to execute PowerShell on a Desktop node, take full-screen screenshots, poll and zip the user's Downloads folder, change execution policy, and upload artifacts (mentions openclaw message send --channel discord ... --file path). Those actions legitimately fit the stated 'evidence collection' purpose, but they involve high-sensitivity data (screenshots, Downloads, possibly logged browser accounts) and system policy changes. The instructions also give wide discretion (copy scripts to arbitrary local paths, run SendKeys/AutoHotkey, use tscon to avoid lockscreen) which increases risk.
- Install Mechanism
- noteThere is no install spec (instruction-only), which limits what is written to disk by the skill package itself. That normally reduces risk. However, because the SKILL.md expects external PowerShell scripts and suggests manually copying them to C:\Users\... or running them via WSL/powershell, the actual runtime behavior depends on scripts that are missing from the bundle. This absence prevents a full review of what will execute on the Desktop node and is therefore a notable gap.
- Credentials
- concernThe skill declares no required environment variables or config paths, yet its instructions require access to: a Desktop node (tools.exec node=Desktop), the user's Downloads folder, the ability to take screenshots and possibly access Edge profile/account state, and the ability to upload files to external channels (Discord is explicitly referenced). The requested capability to change PowerShell execution policy (Set-ExecutionPolicy) and use tscon to manipulate remote sessions are privileged actions. These privileges and sensitive accesses are not represented in the metadata, which is disproportionate.
- Persistence & Privilege
- notealways:false and default model invocation are appropriate. The skill does not request to persist or modify other skills. However, because it operates by executing arbitrary PowerShell scripts on a Desktop node, granting it Desktop approval gives it broad runtime reach. That runtime reach is normal for a remote-control/evidence-collection skill but should be treated as high-privilege and limited to trusted nodes.