Skillv1.0.0

ClawScan security

Smart Web Scraper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 8:08 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to be a straightforward web scraper whose code and runtime instructions match its description and do not request unrelated credentials or access, though you should review and run it in a sandbox before trusting it with large crawls or sensitive environments.
Guidance: This skill appears coherent and implements a normal static-HTML scraper. Before installing or running: (1) Review the full scripts/scraper.py file yourself (the provided view was truncated here) to confirm there are no hidden network callbacks or unexpected behavior; (2) Run it in a sandbox or limited environment first to ensure it only fetches the target sites and does not contact unknown endpoints; (3) Be mindful of legal/terms-of-service and robots.txt — the tool can override robots rules with --ignore-robots; (4) Note that runtime dependency installation (e.g., via `uv run --with` or pip) will fetch code from PyPI — only install packages you trust; (5) Do not supply unrelated credentials (none are required). If you need higher assurance, ask the publisher for a source repository or sign-off and verify the remaining (truncated) portion of the script.

Review Dimensions

Purpose & Capability: okName, description, README, SKILL.md examples, and the included Python script all align: they implement HTML scraping, table detection, link/structure extraction, and crawling. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope: noteSKILL.md instructs running the included script (e.g. `uv run ... python scripts/scraper.py`) and documents options like respecting robots.txt, delay, and --ignore-robots. The instructions do not ask for unrelated system reads or credentials. Note: examples use `uv run --with` to auto-install dependencies at runtime — this will pull packages (beautifulsoup4, lxml) from package sources when executed.
Install Mechanism: okNo install spec is present (instruction-only install), and the script relies on common Python libraries. No downloads from unknown URLs or archive extraction are present in the provided code. The only install-like behavior implied is runtime package install via the example `uv run --with`, which is expected for Python dependencies.
Credentials: okThe skill requires no environment variables, credentials, or config paths. The script performs network requests to target URLs (expected for a scraper) and does not reference other system secrets in the visible code.
Persistence & Privilege: okThe skill is not always-enabled and uses normal model invocation defaults. It does not request permanent presence or modify other skills; its operations are local (fetching remote pages and printing or writing outputs).