THE_TIME_MASHEEN
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a powerful web-scraping and browser-automation skill, but it explicitly supports anti-bot/paywall/login-gated scraping and uses a risky remote, unpinned install path.
Install and use this only if you are comfortable with a powerful scraping/browser-automation tool. Review the installer first, prefer a sandbox or virtual environment, use it only on sites you own or are authorized to access, avoid high-value credentials, and require explicit approval before using stealth, Cloudflare-solving, login-gated, paywalled, or bulk-scraping workflows.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could be used to bypass anti-bot or access controls, scrape content under a logged-in account, and create legal, account, or operational risk.
The skill explicitly recommends stealth/Cloudflare-solving scraping and authenticated or paywalled extraction across broadly scoped targets, without clear authorization or safety limits.
Use when ... "extracting data from login-gated or paywalled pages" ... "Heavily protected sites → scrapling stealthy-fetch --solve-cloudflare"
Use only on sites you own or are explicitly authorized to access. Require clear user approval before stealth, login, paywall, form-submission, or bulk-scrape actions, and define allowed domains and rate limits.
Actions may be performed under your account, and credentials or session cookies could expose private account data if used carelessly.
The skill is designed to operate with user login credentials and authenticated browser sessions. This is disclosed and purpose-aligned, but it is still high-impact account access.
playwright-cli fill e5 "username@example.com" ... playwright-cli fill e6 "password" ... "scrape while session is active"
Prefer dedicated low-privilege accounts, avoid entering high-value credentials, close sessions after use, and verify exactly what pages will be scraped while authenticated.
Installing could execute changed remote code or dependency install scripts with the user's local privileges, and future installs may not match the reviewed artifact.
The README recommends piping a remote script from a mutable branch into a shell and installing unpinned third-party packages, including a global npm tool.
bash <(curl -fsSL https://raw.githubusercontent.com/mrjessek/the-time-masheen/main/install.sh) ... `pip install "scrapling[all]"` ... `npm install -g playwright-cli`
Inspect the installer before running it, pin dependency versions, use a virtual environment or container, avoid curl-to-bash installs, and provide a registry install spec or signed release artifact.
A user could underestimate what network activity occurs or what target sites can observe during scraping and browser automation.
The local-session statement is useful, but the broader phrase may be overread: this network scraping tool necessarily sends requests to target sites and external archive services.
**All data stays local.** Any session state used during automation exists only on your machine...
Clarify which data stays local, which requests go to third-party sites, and what logs or account activity target services may retain.