Skillv0.3.2

ClawScan security

yc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 8, 2026, 4:12 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The package appears to implement the CLI it describes and its required actions (reading browser cookies, using Playwright, integrating with an AI agent) are coherent with the stated purpose, but the installer performs filesystem changes (symlink into ~/.claude and patches node_modules) and the runtime accesses sensitive artifacts (browser cookie DB + macOS Keychain) — review and consent are advised before installing.
Guidance: This package appears to do what it claims, but it accesses sensitive browser session cookies (and thus may act with your logged-in identity on startupschool.org) and its installer writes to your home directory and patches installed package files. Before installing: 1) Verify the package source (check the GitHub repo linked in SKILL.md and confirm the author/trustworthiness); 2) Expect macOS Keychain prompts to decrypt Chrome cookies — only allow if you trust the tool; 3) Be aware the postinstall will create ~/.claude/skills/yc-cli (so it integrates with local AI agent tooling) and will attempt to patch node_modules/@steipete/sweet-cookie; if you prefer, inspect or run the postinstall script manually and perform symlink or patches yourself instead of allowing automatic postinstall; 4) Playwright may download browser engines during install (large files) — consider installing in a controlled environment or container if you want to limit persistent changes; 5) If you are unsure, audit the repository source code and run the CLI in an isolated VM or container rather than on a primary workstation.

Review Dimensions

Purpose & Capability: okThe CLI's code and dependencies match the description: it reads Startup School cookies to call GraphQL/REST endpoints, uses Playwright to automate SPC Airtable forms, and exposes commands for discovery and submissions. Dependencies (sweet-cookie, playwright) and required binary 'yc' are appropriate for the stated features.
Instruction Scope: noteRuntime instructions and code legitimately require reading browser cookie stores and extracting CSRF tokens, and may prompt macOS Keychain for decrypting Chrome cookies — these are necessary for the 'whoami', dashboard, and submit workflows. The SKILL.md and code do not appear to instruct the agent to read unrelated system files or to exfiltrate data to unexpected endpoints; network calls target startupschool.org, speedrun/a16z endpoints, GCS signed URLs, and Airtable forms as expected.
Install Mechanism: concernInstall is via an npm package (@lucasygu/yc) which is normal, but the postinstall script performs additional actions: it creates ~/.claude/skills/yc-cli (a symlink into the user's home directory) and patches files inside node_modules/@steipete/sweet-cookie. Those write operations modify the user environment and installed package files during installation, increasing the installation footprint and requiring explicit user awareness/consent.
Credentials: noteNo environment variables or external API keys are requested, which is proportional. However, the tool reads browser cookie stores and uses the macOS Keychain (via sweet-cookie) to decrypt session cookies for startupschool.org — this grants the CLI access to sensitive session tokens needed to act on behalf of the user. This access is justified by the feature set but is privacy-sensitive and requires user consent.
Persistence & Privilege: noteThe package does not set always:true and does not demand elevated system privileges, but its postinstall creates a persistent symlink (~/.claude/skills/yc-cli) to register itself with a local AI agent ecosystem and modifies package files in node_modules. Preuninstall includes cleanup logic, but the installation does leave persistent artifacts in the user's home directory.