Back to skill
Skillv0.1.0
ClawScan security
Modao · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 11:47 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (scraping and summarizing public Modao prototype pages) matches its instructions and it requests no credentials or installs — nothing appears disproportionate or covert.
- Guidance
- This skill appears coherent and limited to summarizing public Modao share pages and requests no secrets. Before installing, confirm you trust the publisher (source is unknown), and ensure your agent environment is allowed to access external web pages. Be aware that scraping dynamic pages may require a headless-browser capability on the agent side (not declared here). Also follow legal and site-specific rules: respect robots.txt, rate limits, and terms of service; monitor first runs to ensure the skill does not unexpectedly request credentials or access non-public pages.
Review Dimensions
- Purpose & Capability
- okName/description say it extracts public Modao prototype pages; SKILL.md only describes reading public share pages, extracting structure/annotations/links, and rate-limiting. No credentials, unrelated binaries, or excessive permissions are requested — the required capabilities align with the stated purpose.
- Instruction Scope
- okInstructions are scoped to public pages and explicitly prohibit account actions or accessing restricted content. They note dynamic loading and rate control; they do not instruct reading local files, other env vars, or sending data to unexpected endpoints.
- Install Mechanism
- okNo install spec and no bundled code — instruction-only skill. This minimizes on-disk risks because nothing is downloaded or executed by an installer.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. There are no unexplained secret requests or cross-service tokens that would be disproportionate to a web-scraping summarizer.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide changes or elevated privileges. Autonomous model invocation is allowed (platform default) but not combined with other concerning privileges.