THE_TIME_MASHEEN
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: the-time-masheen Version: 1.0.2 The skill provides a 'web intelligence' toolkit that integrates high-risk capabilities including automated browser interaction (clicking, form filling, and arbitrary JavaScript execution via `playwright-cli eval`) and stealth scraping designed to bypass bot protections like Cloudflare (via `scrapling`). While these tools are aligned with the stated purpose of advanced web research and archival analysis, they grant the agent significant power to interact with web applications and bypass security controls, which could be misused for unauthorized actions or data extraction. The `install.sh` script performs global npm installations and fetches browser binaries, and the `README.md` promotes a `curl | bash` installation method (IOC: `raw.githubusercontent.com/mrjessek/the-time-masheen/main/install.sh`).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could be used to bypass anti-bot or access controls, scrape content under a logged-in account, and create legal, account, or operational risk.
The skill explicitly recommends stealth/Cloudflare-solving scraping and authenticated or paywalled extraction across broadly scoped targets, without clear authorization or safety limits.
Use when ... "extracting data from login-gated or paywalled pages" ... "Heavily protected sites → scrapling stealthy-fetch --solve-cloudflare"
Use only on sites you own or are explicitly authorized to access. Require clear user approval before stealth, login, paywall, form-submission, or bulk-scrape actions, and define allowed domains and rate limits.
Actions may be performed under your account, and credentials or session cookies could expose private account data if used carelessly.
The skill is designed to operate with user login credentials and authenticated browser sessions. This is disclosed and purpose-aligned, but it is still high-impact account access.
playwright-cli fill e5 "username@example.com" ... playwright-cli fill e6 "password" ... "scrape while session is active"
Prefer dedicated low-privilege accounts, avoid entering high-value credentials, close sessions after use, and verify exactly what pages will be scraped while authenticated.
Installing could execute changed remote code or dependency install scripts with the user's local privileges, and future installs may not match the reviewed artifact.
The README recommends piping a remote script from a mutable branch into a shell and installing unpinned third-party packages, including a global npm tool.
bash <(curl -fsSL https://raw.githubusercontent.com/mrjessek/the-time-masheen/main/install.sh) ... `pip install "scrapling[all]"` ... `npm install -g playwright-cli`
Inspect the installer before running it, pin dependency versions, use a virtual environment or container, avoid curl-to-bash installs, and provide a registry install spec or signed release artifact.
A user could underestimate what network activity occurs or what target sites can observe during scraping and browser automation.
The local-session statement is useful, but the broader phrase may be overread: this network scraping tool necessarily sends requests to target sites and external archive services.
**All data stays local.** Any session state used during automation exists only on your machine...
Clarify which data stays local, which requests go to third-party sites, and what logs or account activity target services may retain.