ClawHub

Skill Review

v0.2.4

Scrape ClawHub skill pages for Security Scan (VirusTotal/OpenClaw) + Runtime Requirements + Comments for all of Oliver's local skills, and write a markdown r...

2· 1.2k·3 current·4 all-time
byOliver Drobnik@odrobnik
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill says it scrapes ClawHub pages and gathers Security Scan (VirusTotal/OpenClaw) info and runtime requirements for local skills. It requires python3 and VIRUSTOTAL_API_KEY and uses Playwright to render client-side content — all of which are coherent with that goal.
Instruction Scope
Runtime instructions and included script enumerate local skill folders (SKILL.md), derive slugs, visit https://clawhub.ai/<owner>/<slug>, expand page details, and extract Security Scan / Runtime / Comments. The script only reads SKILL.md, optional slug-map, and a local suppressions.json (next to the script or in parent) and may read ~/.openclaw/.env as a fallback for the VT key. It does not attempt to read unrelated system files or credentials.
Install Mechanism
No install spec is provided (instruction-only with bundled script). The script depends on Playwright (Python) and therefore the user will likely install the playwright package and download Chromium via 'playwright install chromium' — this downloads a browser binary from upstream, which is expected but worth noting as an external binary download.
Credentials
Only VIRUSTOTAL_API_KEY is required (declared). The script legitimately uses the VT key to query VirusTotal and implements client-side rate limiting. The only other env-read behavior is a fallback to ~/.openclaw/.env to find the same key; no unrelated secrets or credentials are requested.
Persistence & Privilege
The skill is user-invocable and not set to always: true. It writes an output markdown to the specified --out path (example /tmp/) and may create Playwright browser artifacts if you install Playwright, but it does not persistently modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it says: it scans your local skills' SKILL.md to form ClawHub slugs, loads each ClawHub page in a headless browser (Playwright), extracts security scan summaries, and uses your VirusTotal API key (or ~/.openclaw/.env fallback) to enrich results. Before running: inspect scripts/skill_review.py and suppressions.json yourself (they're bundled), decide whether you are comfortable providing your VIRUSTOTAL_API_KEY (the script will use it to query VT and may cause VT requests tied to your key), and be aware that installing Playwright will download Chromium/brand binaries from upstream. If you don't want network access for a run, don't execute the script — it visits external sites (clawhub.ai and VirusTotal) by design.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔎 Clawdis
Binspython3
EnvVIRUSTOTAL_API_KEY
latestvk9763g6dcv66kd893a5dmtgaf1826323
1.2kdownloads
2stars
8versions
Updated 1mo ago
v0.2.4
MIT-0
Oliver Drobnik@odrobnik
latest
Download

Skill Review (ClawHub Security Scan scraper)

Use this when you want to review ClawHub Security Scan results for your skills.

What it does

  • Enumerates local skills under ~/Developer/Skills (folders that contain SKILL.md).
  • For each skill, opens the ClawHub page https://clawhub.ai/<owner>/<slug>.
  • Extracts:
    • Security Scan (VirusTotal status + report link, OpenClaw status/confidence/reason)
    • Runtime requirements block
    • Comments block
  • Writes a single markdown report under /tmp/.

Key config behavior (no surprises)

  • Each local skill’s SKILL.md frontmatter name: is treated as the ClawHub slug.
  • Supports non-standard cases via --slug-map path/to/map.json.

Run

python3 scripts/skill_review.py \
  --owner odrobnik \
  --skills-dir ~/Developer/Skills \
  --out /tmp/clawhub-skill-review.md

Optional: slug map

If a local folder name doesn’t match the ClawHub slug, pass a mapping file:

{
  "snapmaker": "snapmaker-2"
}

python3 scripts/skill_review.py --slug-map ./slug-map.json

Requirements

  • Installs/uses Playwright internally (Python package + Chromium).

If it’s missing, follow the error message; typical setup:

python3 -m pip install playwright
python3 -m playwright install chromium

Comments

Loading comments...