ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Korean Scraper

v1.0.0

Korean website specialized scraper with anti-bot protection (Naver, Coupang, Daum, Instagram)

0· 665·1 current·1 all-time
by@mupengi-bot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description (Korean website scraper with anti-bot evasion) aligns with the included scripts and dependencies (Playwright, stealth plugin). However the registry metadata declares no required binaries while SKILL.md and package.json clearly expect node, npm/npx, and Playwright-chromium to be installed (npm install / npx playwright install). The description mentions Instagram in places but no Instagram script is present; SKILL.md claims robots.txt compliance but the code contains no robots.txt checking logic. These omissions/inconsistencies reduce trust in the metadata and claims.
Instruction Scope
SKILL.md instructs running npm install, npx playwright install chromium, and running node scripts (the integration example uses exec to run node). The scripts are limited to scraping and JSON stdout output, and they do not appear to read unrelated local files or external endpoints for exfiltration. However SKILL.md asserts robots.txt compliance and ethical constraints but the code does not implement robots.txt checks; the anti-bot features (navigator.webdriver hiding, stealth plugin, random delays) explicitly attempt to evade automation detection which is consistent with the stated goal but raises ethical/TOS concerns depending on use. The integration example requires the agent to execute shell commands which implies node/npm must be available—this is not declared in metadata.
Install Mechanism
There is no registry install spec, but the repository includes package.json with dependencies on playwright, playwright-extra, and puppeteer-extra-plugin-stealth and a post-install step (npx playwright install chromium) that will download Chromium during install. These are expected for a Playwright scraper. No arbitrary external download URLs or obfuscated installers are present. Because Chromium will be downloaded by Playwright, users should expect substantial disk/network activity during installation.
Credentials
The skill does not request credentials or sensitive environment variables. Optional environment variables referenced (HEADLESS, SCREENSHOT, WAIT_TIME, USER_AGENT) are reasonable and proportional for configuring scraping behavior. No hidden env access was observed in the code.
Persistence & Privilege
The skill is not marked always:true and does not modify other skills or system-wide agent settings. It runs as CLI scripts and returns JSON via stdout. It does not persist credentials or alter agent configuration.
What to consider before installing
What to consider before installing/running this skill: - Node/npm/npx are required but not listed in the registry metadata; ensure you run this in an environment where installing/running Node is expected (or update metadata). - npm install + npx playwright install chromium will download a Chromium browser (large download). Run in an environment where that network/disk activity is acceptable. - The code intentionally uses anti-detection measures (stealth plugin, navigator.webdriver hiding, --no-sandbox and other Chromium flags). That matches the scraper purpose but may violate target sites' terms of service and raises ethical/legal risk — review TOS and laws before using. - SKILL.md claims robots.txt compliance, but the code provides no robots.txt checking; if you need strict compliance, add an explicit robots.txt check before scraping. - The skill claims Instagram support and Cloudflare bypass in prose; Instagram scraping code is absent and Cloudflare handling is limited to stealth/backoff. Expect that some claims are aspirational, not implemented. - The scripts run headless browsers with flags like --no-sandbox and --disable-web-security; running these flags can reduce process isolation and security. Prefer running in an isolated container or VM, not on a critical host. - Test the skill in a sandbox first, and review/modify rate-limiting and behavior to avoid abusive traffic. Do not provide any credentials (logins) unless you review and modify code to handle them securely. If you want higher confidence: ask the author to update the registry metadata to list required binaries (node, npm/npx), add robots.txt enforcement, and remove/justify the Chromium flags that reduce sandboxing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97azkr4wpzz7jsrdv4nspvfpd819y0y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments