Skillv1.0.3

ClawScan security

Scrapling · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 2:35 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements line up with a web-scraping helper that wraps a Python library (scrapling); nothing in the package appears to request unrelated credentials or perform hidden exfiltration, but installing third-party packages and using stealth fetchers has normal operational and legal risks to review.
Guidance: This skill is coherent for web scraping, but before installing: 1) Review the third-party Python package 'scrapling' (PyPI, source repo, maintainers) to ensure it is trustworthy; 2) Be aware that pip installing extras and running Playwright will download and execute external code and browser binaries — do so in a controlled environment if unsure; 3) Scraping stealth/anti-bot protected sites can violate terms of service or laws — only use against sites you are authorized to scrape; 4) The example shows posting credentials for login flows — never supply sensitive credentials to unknown code or services; 5) Test in a sandbox/container and audit network activity if you need higher assurance.

Review Dimensions

Purpose & Capability: okName and description match the included SKILL.md and the Python helper. The skill documents static, dynamic, and stealthy fetchers and includes a matching CLI/py script. There are no environment variables, config paths, or unrelated binaries requested that would be inconsistent with a scraping tool.
Instruction Scope: noteSKILL.md and the script stay within scraping scope: they instruct installing scrapling and Playwright, choosing fetchers, running the included CLI, and optionally using sessions (including a login example). The instructions do show examples that post login forms (session.post) which implies handling credentials, but the skill does not request or capture secrets itself. The doc also recommends respecting site terms and adding safety controls.
Install Mechanism: noteThis is an instruction-only skill with no install spec; it tells users to pip install 'scrapling' and optional extras and to run Playwright installer. Installing Python packages and Playwright is expected for this functionality, but it does entail downloading and executing third-party code (PyPI packages and browser drivers), which is normal but should be reviewed before installation.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. Example code demonstrates how to post credentials for login flows, which is appropriate for session-based scraping, but the skill itself does not request or attempt to exfiltrate secrets.
Persistence & Privilege: okThe skill is not always-included and allows normal autonomous invocation. It does not request permanent system-wide privileges or modify other skills' configurations. There is no install-time behavior in the bundle that persists state beyond normal use.