Back to skill
Skillv1.0.3
ClawScan security
Midscene Automations Skills for Browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 7, 2026, 4:41 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's runtime instructions require external model API keys and execute an unverified npm package via npx, but the registry metadata does not declare those required credentials or a source—this mismatch and the use of npx from an unknown origin are concerning.
- Guidance
- This skill runs an npm CLI (npx @midscene/web@1) and requires model API keys, but the registry metadata doesn't declare those secrets and there's no homepage/source listed. Before installing or running it: (1) ask for the package repository or official homepage and verify the npm package contents (or prefer a published GitHub release), (2) do not supply high-privilege API keys — use limited-scope keys or a quota-limited test project, (3) run the skill first in an isolated/disposable environment, (4) prefer the developer add required env vars to the registry metadata and include integrity/pinned package info, and (5) monitor network and process activity while the skill runs. If you cannot verify the package source, treat it as higher risk and avoid providing real credentials.
Review Dimensions
- Purpose & Capability
- noteThe described purpose (vision-driven browser automation using Midscene) aligns with the instructions to run npx @midscene/web and drive a headless Chrome via screenshots. However the skill metadata claims no required environment variables or credentials while the SKILL.md explicitly requires MIDSCENE_MODEL_API_KEY, MIDSCENE_MODEL_NAME, MIDSCENE_MODEL_BASE_URL, and MIDSCENE_MODEL_FAMILY. That metadata/instruction mismatch is incoherent.
- Instruction Scope
- concernSKILL.md instructs the agent to run npx CLI commands, take and read screenshots, and rely on a .env file (or system env vars) for model credentials. While reading screenshots is expected, the instructions implicitly expect access to .env and to secrets (API keys) and to execute network-fetched code via npx. The document does not instruct explicit exfiltration, but it gives the agent broad runtime powers (running arbitrary CLI commands from npm, persisting a browser process) which expands its attack surface.
- Install Mechanism
- concernThere is no install spec in the registry (instruction-only), but the runtime relies on npx @midscene/web@1 which will fetch and run code from the npm registry at runtime. The skill package source and homepage are unknown in registry metadata, increasing risk: running npx pulls arbitrary remote code unless you verify the package/release. This is moderate-to-high risk compared with a pinned, verifiable install source.
- Credentials
- concernThe SKILL.md requires multiple API-related environment variables (MIDSCENE_MODEL_API_KEY, NAME, BASE_URL, FAMILY, etc.) for external LLM providers, which is reasonable for a vision/LLM-backed tool — but the registry metadata lists no required env vars and no primary credential. The mismatch is problematic: a user would not see declared secrets required before installing. Also the skill suggests storing keys in a local .env file (which the agent may read indirectly via the CLI), so secret handling should be clarified and minimized.
- Persistence & Privilege
- okThe skill does not request always:true or other elevated platform privileges. It runs CLI commands that spawn a persistent headless Chrome process across CLI calls (as part of the automation flow), but that is local process behavior, not elevated registry-level privilege.