Skillv0.1.0

ClawScan security

Music Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 10:28 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, scripts, and runtime instructions are consistent with its described purpose (web-search + deep page scraping to extract cloud-drive links); it does not request unrelated credentials or hidden endpoints, but requires network scraping and local runtimes and has a small mismatch between documentation and implementation around dependency installation.
Guidance: This skill appears to do what it says: it runs a web-search helper and optionally a Python-based deep scraper (cloudscraper) to pull public cloud-drive links. Before installing, ensure you: 1) have Node.js and Python3 if you want deep search to work, 2) understand it will make outbound HTTP requests to many third-party sites (scraping), which could be slow or legally sensitive depending on jurisdiction and content, 3) review and (optionally) run the scripts in a sandbox since there is no automatic installer for Python deps — deep_extract.py will error if cloudscraper is missing — and 4) check any .env you create for secrets (the skill does not require credentials but will read a local .env). If you need stronger assurance, ask the author for a documented install step that creates .venv and installs requirements, or run the skill with network access restricted.

Review Dimensions

Purpose & Capability: okName/description (search music resources across public cloud drives) aligns with the included JS/Python/shell code: the skill calls a web-search helper, optionally runs a Python cloudscraper-based deep extractor, parses pages for pan/magnet links, and returns JSON results. There are no unrelated credentials, system paths, or surprising binaries requested.
Instruction Scope: noteSKILL.md instructs the agent to call the included CLI scripts and to rely on the separate web-search skill. The instructions are scoped to searching and extracting links. One minor inconsistency: SKILL.md claims cloudscraper will be 'auto-installed into .venv on first run', but the repository contains no install script that actually creates .venv or runs pip install; deep_extract.py will simply exit with an error if cloudscraper is missing. The skill will fetch arbitrary public web pages discovered by the web-search skill (expected for a scraper) — be aware network requests to many external sites will be made.
Install Mechanism: noteThere is no install spec (instruction-only), which minimizes automatic disk changes. However code includes Node.js and Python scripts and a requirements.txt listing cloudscraper. The bundle does not contain an automated installer for Python deps or Node packages; users must have Node and Python available. No downloads from untrusted URLs or archive extraction are present in the repository.
Credentials: okThe skill declares no required environment variables or credentials. Runtime code reads optional environment variables for configuration (SKILLS_ROOT, MUSIC_SEARCH_*, LOBSTERAI_ELECTRON_PATH) and a local .env inside the skill folder; these are proportional to the functionality. It writes cache files to the system temp directory only.
Persistence & Privilege: okalways is false and the skill does not request persistent/automatic inclusion. It only reads/writes files within its own skill folder and to a temp cache directory; it does not modify other skills or global agent configuration.