ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mortgage Rate Lookup

v1.0.0

Multi-lender mortgage rate comparison — scrapes 13 lenders + Freddie Mac + Mortgage News Daily benchmarks, ranks lowest to highest, tracks day-over-day changes.

0· 27·0 current·0 all-time
byRuMpLeMiNtZ@seang1121
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description claim a multi-lender mortgage scraper; the code and SKILL.md implement that (urllib + a stealth browser via 'patchright'). However the registry install metadata declares a Node package install (kind: node, package: patchright) while the SKILL.md and requirements.txt expect a Python package (pip install patchright). This mismatch is unexpected and disproportionate to the stated purpose because installing an npm package named 'patchright' (if it exists) is unrelated to the Python runtime the code needs and could install unrelated code.
Instruction Scope
SKILL.md instructs running the included Python script, creating a local config.json (zip code), and installing patchright + chromium for headless scraping. The instructions reference only the files the skill uses and stdout output. They do not request arbitrary file reads, unrelated env vars, or exfiltration to alternate endpoints. They do instruct web scraping of many bank sites which is consistent with the stated purpose.
!
Install Mechanism
The code and requirements.txt expect a Python package 'patchright' and the SKILL.md shows pip installation, but the registry install block lists a Node (npm) package 'patchright'. This is a high-risk mismatch because an automated installer following the registry metadata may install an npm package (potentially arbitrary code) instead of a Python package, or fail. The install mechanism is not clearly tied to a known release host; the python install steps are manual in SKILL.md (pip install + python -m patchright install chromium).
Credentials
The skill requests no environment variables or credentials and the code does not access any secrets or unrelated environment values. It only fetches public lender pages and public benchmark CSV/HTML endpoints. No config paths or sensitive tokens are requested.
Persistence & Privilege
The skill is not always-enabled and uses normal invocation. It does network I/O to many external sites, but it does not request system-wide config changes or other skills' credentials.
What to consider before installing
This skill appears to implement the advertised mortgage-rate scraping, but there is an important metadata mismatch you should resolve before installing: the registry metadata lists a Node (npm) package 'patchright' while the SKILL.md and requirements.txt expect the Python package and show pip install instructions. An automated installer that follows the registry metadata could install an unrelated npm package or run unexpected code. Before installing or running: 1) Inspect the full mortgage_rate_report.py file (the provided file was truncated) to confirm there are no hidden endpoints or data-exfiltration calls. 2) Confirm the provenance of 'patchright' (is it a Python package you trust?) and install it via pip as the README shows; avoid blindly running an npm install for the same package name. 3) Run the script in a sandboxed environment or container and do a read-only dry run if possible. 4) Be aware of legal/ToS and anti-bot implications when scraping bank websites. If you want a higher-confidence clean bill, provide the remaining portion of mortgage_rate_report.py and confirm whether the registry install metadata can be corrected to a pip-based install step.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dfqk2dpnbrdpm2r2nfmvz9d84d0dm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏠 Clawdis
OSmacOS · Linux
Binspython3

Install

Nodenpm i -g patchright

Comments