Back to skill
Skillv1.0.1
ClawScan security
Anycrawl · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 8:33 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper for the AnyCrawl CLI and its instructions, install guidance, and security notes are consistent with that purpose; a minor metadata mismatch about environment variables should be fixed before trusting it fully.
- Guidance
- This skill is an instruction-only wrapper for the AnyCrawl CLI and appears internally consistent with that purpose. Before installing or using it: 1) Verify the upstream npm package (anycrawl-cli) and its source/release provenance; prefer using npx if you don't want a global install. 2) Be aware the CLI fetches arbitrary third‑party web content and will store an API key under your user config directory — use a scoped/rotatable key and inspect where it is stored. 3) The SKILL.md references ANYCRAWL_API_KEY but the skill metadata doesn't declare it; ask the author to declare required env vars explicitly. 4) Follow the included security advice (write output to .anycrawl/, add to .gitignore, and read files incrementally) to reduce prompt‑injection and data exposure risk.
Review Dimensions
- Purpose & Capability
- okThe name/description match the instructions: the skill expects the AnyCrawl CLI and explains search/scrape/map/crawl workflows. Nothing requested or documented is unrelated to web crawling/scraping.
- Instruction Scope
- okSKILL.md only instructs use of the anycrawl CLI and contains safe-sounding handling guidance (write outputs to .anycrawl/, incremental reads, URL quoting, avoid returning fetched pages directly). It does not instruct reading unrelated system files or exfiltrating data.
- Install Mechanism
- noteThere is no formal install spec (instruction-only), and install guidance points to the npm package anycrawl-cli and npx usage — a standard approach. Users should still verify the npm package and upstream docs before installing.
- Credentials
- concernSKILL.md and rules/install.md reference an ANYCRAWL_API_KEY and describe persistent credentials in ~/.config or %APPDATA%, but the skill metadata lists no required environment variables or primary credential. The skill should declare ANYCRAWL_API_KEY (or be explicit it is optional).
- Persistence & Privilege
- okThe skill is not forced-always, is user-invocable, and does not request persistent platform privileges or modify other skills' configs. Autonomous invocation is allowed by default but not unusual here.