Back to skill
Skillv0.1.0
ClawScan security
Webperf Interaction · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 10:55 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a coherent collection of Chrome DevTools JavaScript snippets for in-page interaction and animation performance analysis; it requires no external credentials, doesn't install software, and its actions match its description.
- Guidance
- This skill runs JavaScript inside the target page (via Chrome DevTools) to collect performance data and attribute blocking to scripts. It does not contact external servers or ask for credentials. Before running: 1) Only execute on pages you trust or on staging environments, since the snippets can read DOM and script URLs. 2) Expect the snippets to leave PerformanceObservers and window helper functions active; reload the page to remove them or call provided clear/export functions where available. 3) Be aware one snippet temporarily monkeypatches addEventListener to detect non-passive listeners — this can affect page behavior while active. If you need stricter isolation, run these on a copy of the site or in an incognito / test environment.
Review Dimensions
- Purpose & Capability
- okName/description match the bundled scripts: all files are DevTools snippets that use the Performance API and provide INP, LoAF, long-task, CLS, and scroll analyses. Nothing requests unrelated cloud credentials, binaries, or system access.
- Instruction Scope
- noteSKILL.md instructs the agent to evaluate scripts via the Chrome DevTools MCP and capture console output — which is exactly what the scripts do. The scripts read the DOM, Performance entries, and script URLs (to attribute third-party vs first-party), and they expose window.getXxx() functions and set up PerformanceObserver tracking. This is appropriate for the stated purpose but does grant the skill broad read access to page DOM and performance entries.
- Install Mechanism
- okNo install spec; this is instruction + snippet files only. Nothing is downloaded or executed outside the browser context.
- Credentials
- noteThe skill requires no environment variables or external credentials. It does read page-local information (DOM, element attributes, performance entries, script source URLs) — this is necessary for attribution and debugging, but it means the snippets can observe page content and script origins.
- Persistence & Privilege
- noteThe scripts create persistent observers and attach helper functions to window (e.g., getInteractionSummary, getLoAFSummary). One snippet monkeypatches EventTarget.prototype.addEventListener to detect non-passive listeners — that is intrusive and can interfere with page code while active. Observers and monkeypatches persist until the page reloads or the scripts provide explicit clear functions (some do). There is no platform-level 'always' privilege requested.