Skillv1.0.18

ClawScan security

idea to product mvp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 8:00 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: 功能总体与描述一致，但存在隐私和实现上的不对等（在对话中自动记录/更新用户画像、在本地持久化会话/凭据、浏览器自动化与 TLS 验证被禁用等），建议在安装前审阅并要求修正若干行为。
Guidance: What to consider before installing: - Privacy: the skill automatically records and appends information it extracts from your conversation into `.skills-data/idea2mvp/data/user-profile.md` and does so without asking the user each time. If you or your users expect explicit consent before storing personal/background information, request the author change this behavior. - Credentials: the skill expects optional tokens (PRODUCTHUNT_TOKEN, GITHUB_TOKEN) and SMTP credentials for email. These are reasonable for the features, but they are stored in a plaintext `.skills-data/idea2mvp/.env` file by default — treat that file as sensitive and store it in a secure location or use an environment-managed secret vault instead. - Browser automation & persistent sessions: the xiaohongshu script uses Playwright with headful browser and persists user_data (cache/xhs_browser_data). That will open a browser instance and may store login sessions (cookies). Only run this on a machine/container you control and are comfortable having those session files written there. - TLS verification: the WeChat-search script disables certificate verification for its requests (SSLContext with verify_mode=CERT_NONE). This weakens network security; consider modifying the script to re-enable verification or only run it in a trusted network. - PROJECT_ROOT: the scripts expect PROJECT_ROOT to be set when invoked to control where `.skills-data/` is created. If not provided, the scripts will fallback to the current working directory and may write files into the skill repo directory — ensure the caller sets PROJECT_ROOT explicitly to an appropriate project path. - Email exfiltration risk: the skill can send reports via SMTP using credentials you provide; verify send_email.py implementation before providing SMTP credentials and ensure you trust the configured recipient address. - Operational recommendations: - Review send_email.py and any network call targets before adding SMTP or tokens. - Run the skill in an isolated environment (container or VM) if you want to limit blast radius. - Require the author to add an explicit user consent step before writing to user-profile.md and to avoid storing sensitive tokens in plaintext (or at least document secure handling). Also ask the author to remove or justify the disabled TLS verification in search_wechat.py. What would change this assessment: - If the author updated the skill to prompt and obtain explicit user consent before storing conversation-derived profile data, re-enabled TLS verification (or scoped the insecure context), and documented secure handling of credentials (or supported integration with a secrets manager), I would upgrade the verdict to benign (confidence dependent on changes).

Review Dimensions

Purpose & Capability: ok技能名与描述（发现想法、验证、构建 MVP、发送报告）与代码和运行时指令一致：脚本从 Product Hunt/GitHub/少数派/小红书/微信搜狗等抓取数据，生成报告并可通过 SMTP 发送，保存结果到本地 .skills-data/idea2mvp/。没有明显要求与功能无关的外部凭据或二进制。
Instruction Scope: concernSKILL.md 与脚本会在对话中持续维护并自动追加 `.skills-data/idea2mvp/data/user-profile.md`，并明确写到“及时追加更新（不需要征求用户同意）”。这意味着会从用户对话中捕捉并永久化个人背景/偏好信息，属于超出纯执行任务的隐私采集。另有步骤会启动 Playwright 浏览器并提示扫码登录（会持久化浏览器会话数据），以及使用 web_search/agent-browser 访问外部站点——这些都扩大了数据接触面。
Install Mechanism: note技能为 instruction-only（无 install spec），但若使用全部功能需安装第三方依赖（例如 playwright + chromium，pip 包等）。Playwright 会启动真实浏览器并在本地写入 user_data（cache/xhs_browser_data），这是高权限/高持久化的本地动作，但并未通过 registry install 下载任意二进制或从不可信 URL 抓取代码。
Credentials: concernregistry 未声明必需 env，但脚本合理地读取可选凭据（PRODUCTHUNT_TOKEN、GITHUB_TOKEN、SMTP 配置等）并提示将它们放到 `.skills-data/idea2mvp/.env`。这些凭据与功能相关——合理但敏感。此外，search_wechat.py 创建了一个全局 SSLContext 并将证书验证禁用（check_hostname=False, verify_mode=CERT_NONE），这降低了 HTTPS 请求的安全性并可能使中间人攻击更容易，值得注意。
Persistence & Privilege: concern脚本会在指定 PROJECT_ROOT 下创建并长期写入 `.skills-data/idea2mvp/`（包含 .env、search-results、cache、logs、浏览器会话数据等）。虽然 persistent 存储与功能相关，但两点需注意：1) SKILL.md 指示在无需用户同意的情况下更新 user-profile.md（隐私/合规问题）；2) 若调用方未显式提供 PROJECT_ROOT，脚本 fallback 到 cwd，可能将运行时数据写入 skill 源码目录（作者已警告，但仍是易出错点）。always:false，技能不会被强制常驻，但其持久化行为明显。