ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nyc 311 Reporter

v1.0.0

Automate NYC 311 service request filing by browsing the 311 portal with Playwright. Scrapes complaint categories, finds forms, fills them with user data, and...

0· 65·1 current·1 all-time
byPranjal Minocha@pranjalminocha
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included Playwright automation script: scraping categories, finding forms, filling and optionally submitting. However, SKILL.md suggests storing a user profile in assets/config.json while the visible automation functions use CLI arguments and the script does not appear to read assets/config.json — an inconsistency between docs and implementation.
Instruction Scope
SKILL.md instructions are specific and constrained to running the included script and installing Playwright. They instruct saving screenshots to /tmp and running a dry-run before actual submission, which the script implements. No instructions request unrelated files, environment variables, or external endpoints beyond the 311 portal. The manifest shows the python file is truncated in the listing (main function cut off), which could make runtime behavior unclear.
Install Mechanism
No custom installer; installation is standard: pip install -r requirements.txt and playwright install chromium. Dependencies are reasonable for browser automation (requests, bs4, playwright). No arbitrary URL downloads or extract steps are present in the manifest.
Credentials
The skill requests no environment variables or external credentials — appropriate for its function. It does accept and will submit user-identifying fields (name, email, phone, location) to the NYC 311 site if run with --submit; this is expected but users should be aware they are transmitting personal data to an external government portal. assets/config.json contains example personal data; the code doesn't clearly read it, so documentation and implementation mismatch could lead to user confusion.
Persistence & Privilege
The skill does not request persistent/always-on privilege, does not modify other skills or global agent settings, and is user-invocable only. It saves screenshots to /tmp as noted — a non-privileged filesystem location.
What to consider before installing
What to check before installing or running: - Review the full scripts locally before running. The provided browse_311.py in the listing is truncated at the end; confirm you have the complete file. A truncated main() may cause runtime errors or unexpected behavior. - Run the script first with the dry-run (--no --submit) to generate screenshots in /tmp and verify the form-filling logic matches the portal flow. Do not run with --submit until you have confirmed behavior. - The tool will submit personal contact information to the NYC 311 portal if --submit is used. Only provide information you consent to send; consider using a burner email/phone if testing. - SKILL.md suggests storing a user profile in assets/config.json but the visible functions rely on CLI args and do not read that file. Confirm whether the script version you have reads config.json or update the code/docs accordingly to avoid accidental exposure of stored personal data. - Because Playwright automates a real browser and follows links on pages, it can navigate to third-party domains if the portal links there; inspect the script and test in an isolated environment (VM/container) if you’re concerned about unintended navigation or external network activity. - If you lack confidence in the supplied code, prefer manual filing via the official portal or request a fully audited/complete script from the publisher. If you decide to run it, perform initial tests with dummy data and in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97exg25kjsk3s5e1na9qxz1fn84np37

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments