Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dom Observer Pro
v1.0.0Real-time DOM monitoring tool using MutationObserver and IntersectionObserver to detect and extract dynamic web content efficiently with minimal performance...
⭐ 0· 480·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and declared browser APIs (MutationObserver, IntersectionObserver) and small helper deps (debounce, lodash.throttle) align with a DOM-monitoring library. The declared features and selectors are coherent for the stated use cases (extensions, SPA scraping, moderation). However, the SKILL.md mentions detecting "AI-generated content" and user behavior tracking — capabilities that imply sensitive data collection and warrant privacy consideration even though no extra credentials are requested.
Instruction Scope
SKILL.md contains only high-level usage/configuration instructions and suggests installing the npm/ClawHub package. It does not instruct reading local env vars or system files, but it references an examples file (./examples/dom-observer-pro-examples.js) that is not present in the skill manifest — an inconsistency. The doc is vague about what happens to extracted content (storage/transmission), which is important because the library's job is to extract page text/images and could be used to collect sensitive data.
Install Mechanism
There is no install spec in the manifest — the skill is instruction-only. The README encourages installing @raghulpasupathi/dom-observer-pro via npm or ClawHub. Installing from npm (or an unknown ClawHub URL) means pulling remote code onto the host; this is a moderate-risk operation because the package is not included for review here. No downloads or URLs in the manifest are outright malicious, but the recommended install sources should be inspected (package contents, publisher, integrity signatures) before use.
Credentials
The skill requests no environment variables, credentials, or config paths in its manifest — this is proportionate to a client-side DOM library. That said, the library's function (content extraction and optional user-behavior tracking) can process sensitive page data; absence of credentials reduces risk of automatic exfiltration to a declared remote service, but the package could still include network code or require integration that sends data elsewhere. The SKILL.md does not document any network endpoints.
Persistence & Privilege
The skill does not request elevated platform privileges in the manifest (always:false, user-invocable:true) and does not attempt to modify other skills or system-wide settings. If used inside a browser extension, the extension context—not the skill manifest—determines runtime privileges; that environment can be powerful, so review extension permissions separately.
What to consider before installing
This SKILL.md describes a plausible DOM-observer library but includes no code in the skill package, and it directs you to install an external npm/ClawHub package. Before installing or using it: 1) Inspect the npm package source (or the ClawHub package) — review all JS files for network calls, telemetry, and unexpected privileges. 2) Verify the package publisher and README on the registry; prefer well-known authors or signed releases. 3) Confirm where extracted content would be stored/sent — avoid using it on pages with private data until you understand data flows. 4) Ask the publisher for the missing example files or a homepage/source repo; the SKILL.md references ./examples/dom-observer-pro-examples.js which is not included. 5) If you must try it, run in a sandboxed environment or with network blocked to observe behavior first. If you want, provide the actual npm package URL or package archive and I can re-evaluate the code for suspicious patterns.Like a lobster shell, security has layers — review code before you run it.
latestvk978dpqtyp66vzdn17k864e2cn81kxdc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.