v1.0.0

Clickbank Scraper

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:31 AM.

Analysis

The artifacts match a straightforward ClickBank scraping/export tool, with only disclosed, purpose-aligned notes around npm dependencies, optional affiliate ID use, and optional scheduling.

GuidanceThis looks reasonable for its stated purpose if you trust the package source. Before using it, review npm dependencies, remember that your affiliate ID will be written into output links, and enable cron or n8n scheduling only if you want recurring scraping.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

package.json

"dependencies": { "cheerio": "^1.2.0", "node-fetch": "^2.7.0" }

Running npm install will use third-party packages, which is normal for a Node-based HTML scraper but still part of the trusted install surface.

User impactInstalling the skill pulls npm dependencies into the environment.

RecommendationInstall from a trusted copy, use the provided lockfile when possible, and avoid running npm install or the scraper with unnecessary privileges.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

Use OpenClaw cron or n8n workflows to run daily ... "schedule": "0 9 * * *", "command": "CB_AFFILIATE_ID=your_id node scraper.js"

The documentation shows optional recurring execution through cron or n8n.

User impactIf you configure the schedule, the scraper will continue fetching data and writing output files until the schedule is removed.

RecommendationOnly enable recurring runs intentionally, review the command and output path, and disable the cron/n8n job when it is no longer needed.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scraper.js

affiliateId: process.env.CB_AFFILIATE_ID || 'YOUR_CB_NICKNAME' ... hoplink: vendorId ? makeHoplink(vendorId, CONFIG.affiliateId) : null

The optional affiliate identifier is read from the environment and embedded into generated hoplinks.

User impactYour ClickBank affiliate nickname can appear in JSON output and console logs, and downstream marketing workflows may publish links containing it.

RecommendationUse only the intended affiliate ID, treat generated outputs as shareable affiliate-link data, and avoid exposing logs or output files if you do not want that identifier public.