Back to skill
Skillv1.0.0
ClawScan security
kmong · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 28, 2026, 3:34 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The instructions roughly match an automated sign-up flow, but the skill's metadata omits required local config/secret handling and it directs collection of sensitive personal data (SMS codes, SSN digits, captcha screenshots) without declaring how those secrets or services are provided.
- Guidance
- This skill contains detailed, low-level instructions to automate account sign-up and SMS/captcha-based identity verification, and it references a local secrets file (~/.secrets/kmong.env) that is not declared in the skill metadata. Before installing: (1) Ask the author to explicitly declare required environment variables/config paths and explain how SMS and captcha reading are performed (local OCR vs external service) and where verification codes/captchas are stored or transmitted. (2) Do not provide real SSN digits or your primary phone number until you verify the implementation and trust the source — use test/ephemeral accounts and numbers. (3) Prefer running this skill in an isolated environment (VM or throwaway agent) to limit exposure of PII. (4) If you need this functionality, require the skill to document how it protects captured PII and to limit autonomous invocation; otherwise complete sensitive steps manually.
Review Dimensions
- Purpose & Capability
- concernThe skill claims to automate Kmong sign-up and verification using the OpenClaw browser — that purpose is coherent with a set of browser automation instructions. However, SKILL.md explicitly references a local secrets file (~/.secrets/kmong.env) for account email and workspace settings for nickname, neither of which are declared in the skill metadata (requires.env or required config paths). The presence of that undeclared secret file requirement is disproportionate to the stated metadata.
- Instruction Scope
- concernThe runtime instructions direct the agent to perform highly sensitive actions: entering name, birthdate, the 7th digit of an SSN, phone number, receiving and entering SMS verification codes, and taking screenshots of captchas and 'reading' them. These steps involve collecting and handling PII and authentication tokens. The SKILL.md also contains low-level constraints about evaluate() usage and tab targetId handling — reasonable for browser automation — but the instructions give the agent latitude to capture images and OCR/interpret them without describing where OCR/SMS handling occurs or how captured data is stored/transmitted.
- Install Mechanism
- okInstruction-only skill with no install spec or code files. This has lower disk/write risk; nothing is installed by the skill itself. The lack of an install step is consistent with a purely-instruction skill.
- Credentials
- concernMetadata declares no required environment variables or config paths, but SKILL.md instructs the user/agent to read ~/.secrets/kmong.env and workspace settings for account information. The skill also implicitly needs an SMS-receiving capability and an OCR/captcha-reading capability to function, yet provides no declared env variables, endpoints, or dependency requirements for those services. Requesting or handling SSN digits and SMS verification codes is sensitive and should be explicitly declared and justified.
- Persistence & Privilege
- notealways:false (normal) and autonomous invocation is allowed by default. Because the skill handles PII and verification flows, autonomous runs increase risk — an autonomously-invoked agent could attempt many account creations or submit PII without ongoing human oversight. The skill does not request persistent system-wide configuration, nor does it modify other skills per the provided data.