Skillv0.0.1

ClawScan security

fp-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 9:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly implements browser automation to check invoices, which matches its description, but there are multiple incoherences and a local patch script that injects code to download arbitrary URLs with SSL verification disabled — these mismatches and sloppy hard-coded paths raise concern.
Guidance: This skill is not clearly malicious, but it has several red flags and sloppy configuration that you should address before using it: - The code requires Chrome + Chromedriver, but SKILL.md and registry metadata don't list them; the chromedriver path is hard-coded to a developer machine (/Users/...) — make the driver path configurable or ensure the correct binary exists. - requirements.txt has duplicate/conflicting packages; clean and pin a single, coherent set of dependencies. - Review patch_fp.py: it rewrites skill.py to add support for downloading images from arbitrary URLs using requests.get(..., verify=False). That both expands network access beyond the documented scope and disables SSL verification (insecure). Only apply such a patch after you understand and audit it. Prefer not to disable SSL verification. - If you will run this in a hosted environment, ensure the workspace file paths (e.g., /root/.openclaw/.../fp5_new.pdf) are correct and that you trust any files uploaded to the service the skill automates. - Consider removing or restricting patch_fp.py, or require explicit review/consent before applying it. Add explicit documentation of all required binaries and network endpoints the skill will contact. If you cannot verify or adjust these issues, treat the skill as suspicious and avoid running it with sensitive network access or in privileged environments.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (query official VAT invoice platform) aligns with the selenium-based automation and OCR code. However, the package does not declare required system binaries (Chrome/Chromedriver) even though the code requires them. The code hardcodes a chromedriver path (/Users/pengsiyi/...) and references workspace files under /root/.openclaw/..., which are inconsistent and likely to fail or behave unexpectedly in other environments.
Instruction Scope: concernSKILL.md describes web automation only (opening pages, filling forms, screenshots), which matches skill.py. But the repo contains patch_fp.py that modifies skill.py to add URL-download behavior (requests.get with verify=False). SKILL.md does not mention this patch or any external downloads. The presence of that patch means the skill could be modified to fetch arbitrary remote resources (captcha images) — a capability not documented in SKILL.md.
Install Mechanism: noteThis is an instruction-only skill with code files and a requirements.txt but no install spec. Dependencies will need pip install -r requirements.txt; requirements contain duplicate/conflicting entries (numpy repeated with different versions, duplicate opencv lines). No direct remote-install URLs are present, so install risk is moderate and messy but not obviously malicious.
Credentials: noteThe skill declares no environment variables or credentials — appropriate for its stated purpose. However, it implicitly requires system-level binaries (Chrome and Chromedriver) and expects files in the skill workspace (fp5_new.pdf, chromedriver path), which are not documented. The patch injects code that would perform arbitrary HTTP GETs, which could require network access not mentioned in SKILL.md.
Persistence & Privilege: okalways is false and the skill does not request elevated platform privileges. The included patch_fp.py can rewrite the skill's own file but does not modify other skills or system configs. This is a local code-modification capability (potentially risky) but not an automatic privilege escalation request.