Skillv1.0.0

ClawScan security

AI Automation Agency · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 1:02 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (scraping LinkedIn/Glassdoor/Maps and calling Apify, InVideo, Claude) matches its description, but the runtime instructions rely on multiple third‑party services while declaring no credentials or environment requirements — an incoherence that warrants caution.
Guidance: This skill describes scraping multiple public platforms and calling Apify, Claude, and InVideo, but it does not list any API keys, tokens, or proxy requirements. Before installing or running it, ask the publisher to: (1) explicitly list required environment variables (e.g., APIFY_TOKEN, INVIDEO_API_KEY, CLAUDE_API_KEY) and the minimum scopes/permissions needed; (2) explain where data is sent/stored and how long outputs or logs are retained; (3) confirm whether scraping uses your Apify account (billing/quotas) or a third‑party account and whether proxies are required; (4) disclose affiliate links and any third‑party accounts the skill relies on; (5) provide a sanitized example run or a dry‑run mode that does not transmit live data. If you can't obtain clear answers, run the skill in a constrained sandbox, avoid giving broad, long‑lived credentials (use short‑lived or limited‑scope tokens), and monitor outbound network requests. The absence of declared credentials is the main incoherence — treat the skill as untrusted until that is resolved.

Review Dimensions

Purpose & Capability: noteThe declared purpose (discover leads, detect workflows, compute ROI, produce videos) aligns with the tools named (Apify for scraping, Claude for analysis, InVideo for video). That capability set is coherent with the skill's description. However, the skill expects use of several external platforms whose access normally requires API keys, proxies, or billing accounts; the skill does not declare any of those requirements.
Instruction Scope: concernThe SKILL.md explicitly instructs scraping LinkedIn, Google Maps, Glassdoor, Reddit, and crawling websites, then sending data to third‑party services for analysis/video production. The instructions (as included) do not document required credentials, where to place API keys, or how to authenticate to Apify/InVideo/Claude, and provide affiliate links instead of operational details. The instructions are therefore incomplete and grant the agent broad discretion about how to obtain or call those services.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, which reduces disk/write risk. There is no downloader or archive execution. However, being code‑free doesn't remove the network and credential requirements implied by the instructions.
Credentials: concernThe SKILL.md expects calls to multiple external services (Apify, InVideo, Claude) that normally require API keys/tokens and possibly proxy configuration for heavy scraping; yet the skill declares no required environment variables or primary credential. This mismatch is disproportionate — the skill should list any API tokens and explain required permissions. The lack of declared credentials prevents reviewers from assessing least‑privilege needs.
Persistence & Privilege: okThe skill does not request permanent/always inclusion (always: false) and does not declare any special system config or file path access. Autonomous invocation is allowed by platform default but is not combined here with elevated persistence or system modifications.