Skillv1.0.0

ClawScan security

pcs转储 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 3:42 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match the stated purpose (scrape a PCS page and upload an exported Excel to an EBP page); nothing requests unrelated credentials or external endpoints, but there are small implementation mismatches you should be aware of.
Guidance: This skill appears to do exactly what it says: scrape a PCS page and import an Excel into an EBP page. Before installing/running: (1) review and, if needed, parameterize the hardcoded PCS/EBP URLs in scripts (SKILL.md lists configurable values but the script ignores them); (2) confirm the internal host 10.68.160.117 is the correct/trusted target on your network and that any required authentication is handled (the script does not perform login); (3) install Playwright and its browser as instructed and run the script in a controlled environment first (it launches headless Chromium and writes pcs_data.xlsx to disk); (4) verify the upload selectors and that the import action behaves as expected to avoid accidental data changes; and (5) inspect the script for any modifications if you plan to run it automatically (cron) to ensure it won't be repointed to other hosts or exfiltrate data.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (fetch data from PCS and import to EBP) aligns with the included script: the Python script uses Playwright to load the PCS page, extract table rows, save an Excel, and navigate to the EBP page to upload it. One minor mismatch: SKILL.md shows a configurable 'config' block (pcs_url, pages, fields) but the script uses hardcoded PCS/EBP constants instead of reading a config — this is an implementation inconsistency but not a security mismatch.
Instruction Scope: okSKILL.md and the script stay within the stated workflow: visiting internal URLs, scraping a table, writing pcs_data.xlsx, and uploading it via a file input. The instructions do not read unrelated files, environment variables, or transmit data to external endpoints. The script does not attempt to access credentials or system-wide config.
Install Mechanism: okThere is no automated install spec in the registry (instruction-only), and SKILL.md suggests installing standard Python packages (playwright, openpyxl) and running 'playwright install chromium'. This is typical for a Playwright-based script and does not fetch arbitrary code from an unknown host.
Credentials: okThe skill does not request environment variables, credentials, or config paths. It operates on local file pcs_data.xlsx and accesses internal HTTP addresses (10.68.160.117), which is consistent with its declared purpose.
Persistence & Privilege: okThe skill is not always-enabled and uses the normal invocation model. It does not modify other skills or system-wide settings. It writes only the exported Excel file in the working directory.