Back to skill
Skillv1.0.0
ClawScan security
Chat DeepSeek by Browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 9, 2026, 4:04 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (automating queries to chat.deepseek.com) is plausible, but the runtime instructions ask the agent to take screenshots, run shell commands, and send those screenshots over the user's messaging channels without declaring or justifying that access — this is scope-creep that could leak data.
- Guidance
- This skill will control a browser tab, take screenshots of the page (including any visible content), run shell commands, and send the screenshots via messaging channels (imessage/whatsapp/signal examples). Before installing, consider: (1) Do you trust the skill to access your messaging channels and workspace files? It may transmit sensitive page content. (2) Prefer scanning QR codes manually rather than allowing the agent to send screenshots automatically. (3) If you must use it, disable autonomous invocation or run it in a restricted test account/environment first. (4) Ask the author to remove or limit exec/send steps or to explicitly declare what channels and filesystem paths will be used. (5) Review platform logs for any unexpected messages the skill sends.
Review Dimensions
- Purpose & Capability
- noteThe skill's name and description match the instructions to open chat.deepseek.com, type questions, and extract text from the page. However, the runtime steps also instruct the agent to send QR-code screenshots via various messaging channels (imessage/whatsapp/signal) and to run exec() commands. Those messaging/send actions are outside the minimal capability needed to query DeepSeek (they are a convenience for QR login but broaden the skill's access surface).
- Instruction Scope
- concernSKILL.md instructs the agent to: take screenshots of the page (QR codes and snapshots), write them to workspace paths, execute arbitrary shell commands (imsg send, openclaw message send, exec examples) to deliver screenshots to external channels, and perform broad DOM scraping (selecting many <p> elements across the whole page). These actions permit reading page content and sending it to external endpoints (user channels). The instructions also include polling loops and arbitrary exec usage with placeholders for account IDs and filesystem paths — this gives the agent broad discretion to touch files, messaging channels, and run arbitrary commands.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no external downloads or dependencies, so it does not write new code to disk or pull remote archives.
- Credentials
- concernThe skill declares no required env vars, but the instructions rely on platform features (exec to imsg/openclaw messaging, writing to <your-workspace>, accessing browser profile 'openclaw', sessions_list) that let it access messaging accounts and filesystem paths. Those capabilities are not explicitly declared as required and can be used to transmit screenshots or page contents to other accounts. The skill also uses exec() to run arbitrary shell commands — a high-capability operation relative to the simple stated purpose.
- Persistence & Privilege
- notealways:false (good). The skill can be invoked autonomously by the agent (platform default). Combined with its ability to take screenshots and send messages via exec, autonomous invocation increases risk; however autonomous invocation alone is normal and not intrinsically flagged by policy.