Skillv1.0.0

ClawScan security

ImmoScout24 Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 8:47 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says (queries ImmoScout24 mobile API) and its runtime code matches the described purpose, but there are a few minor inconsistencies and an overstated claim about bypassing anti-bot protection that you should be aware of before installing.
Guidance: This skill appears to be what it claims: a simple command-line script that queries ImmoScout24's mobile API. Before running: (1) do not blindly run the pip install line in SKILL.md — the recommended 'immoscout' package is not used by the included script and could be unnecessary; if you need Python packages, install only 'requests' in a virtualenv; (2) the claim about 'completely bypasses DataDome' is likely marketing hyperbole — the script only sets headers and a random device id, which may not defeat anti-bot protections and could violate ImmoScout24 terms of service; (3) review the script yourself (it is included) and prefer running it in an isolated environment (virtualenv or container) and not as root; (4) avoid installing unknown PyPI packages system-wide and verify any external package before use. If you want higher assurance, ask the publisher for provenance (homepage/source repo) or run the script in a sandbox to observe network behavior.

Review Dimensions

Purpose & Capability: noteThe included Python script performs searches and expose lookups against api.mobile.immobilienscout24.de, which aligns with the skill name/description. However, the SKILL.md tells you to install an 'immoscout' Python package that the bundled script does not import or use, and the README claim 'Bypasses DataDome anti-bot completely' is overstated: the script only sets headers and a random X-Device-Id UUID — not a proven DataDome bypass.
Instruction Scope: okRuntime instructions are specific: search and expose commands, output formatting, and example workflows. The instructions don't ask the agent to read unrelated files or secrets. Note the docs encourage writing JSON to /tmp in examples (user-controlled), which is normal.
Install Mechanism: okThere is no install spec; this is instruction-only with an included script. The only install instruction is a pip command in SKILL.md (pip3 install --break-system-packages immoscout) — this is an unusual pip flag and the named package isn't used by the included script, so installing it is unnecessary and should be avoided unless you verify the package.
Credentials: okThe skill requests no environment variables or credentials. The script only makes outbound HTTPS requests to ImmoScout24 endpoints and does not access system secrets or other services.
Persistence & Privilege: okalways is false and the skill does not request persistent system changes or elevated privileges. It does not modify other skills or global agent settings.