Back to skill
Skillv1.0.0
ClawScan security
Gov Permit Scraper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 12, 2026, 11:06 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions mostly match the stated purpose (scraping permits, enriching with Brave, and emailing via Resend), but the registry metadata omits required credentials and there are a few proportionality and disclosure gaps you should review before installing.
- Guidance
- This skill appears to do what it says (scrape public permit pages, enrich via Brave, and email via Resend), but before installing you should: (1) review the code yourself or have a developer audit scripts/permit-pipeline.js to confirm no hidden endpoints or extra data collection; (2) be aware you must supply BRAVE_API_KEY and RESEND_API_KEY (and any Google Sheets OAuth) despite the registry metadata claiming none — only provide API keys you trust and rotate them after testing; (3) configure safe sending settings (verified sending domain, rate limits, unsubscribe handling) to avoid abuse or deliverability/legal issues; (4) run first in dry-run mode to confirm behavior and outputs (it supports --dry-run) and check the CSV output and network destinations; (5) if you need higher assurance, ask the publisher why required environment variables are omitted from metadata and request a signed provenance or trusted source for the skill.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the code and SKILL.md: the script scrapes public permit pages, enriches via Brave Search, and sends outreach via Resend/SMTP. However the registry metadata incorrectly lists no required env vars/credentials while the SKILL.md and code require BRAVE_API_KEY and RESEND_API_KEY (and optionally DEEPCRAWL_KEY / Google Sheets OAuth). That metadata mismatch is unexpected and worth flagging.
- Instruction Scope
- okSKILL.md and the script are scoped to scraping public records, enriching via a web search API, storing leads to CSV/Sheets, and sending emails. The runtime instructions and code only reference the project config (scripts/config.json), environment keys for search/email providers, and public government URLs; they do not attempt to read other system files or unrelated credentials.
- Install Mechanism
- okNo install spec and no external downloads — the skill is instruction-only with a bundled Node.js script that runs locally. This is lower risk than arbitrary remote install/execution.
- Credentials
- concernThe code legitimately requires BRAVE_API_KEY and RESEND_API_KEY (and optionally DEEPCRAWL_KEY and Google Sheets OAuth) to function, which is proportionate to the described functionality. The concern is the registry listing claiming 'no required env vars' — missing declaration increases risk because users may not realize they must supply API keys and may supply them without review. Also the skill performs outbound network calls to third parties (Brave, Resend, potentially DeepCrawl and Google), so any supplied credentials will be used to contact external services.
- Persistence & Privilege
- okalways:false and normal autonomous invocation flags. The skill does not request permanent platform-wide privileges and does not modify other skills or system settings. It writes output to local CSV and optionally Google Sheets, which is expected behavior.