Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MDAC Auto-Filler
v1.0.2Auto-fill and submit Malaysia Digital Arrival Card (MDAC) for travelers entering Malaysia. Use when a user wants to fill or submit MDAC (马来西亚数字入境卡) for Malay...
⭐ 0· 77·0 current·0 all-time
bySid Yang@sidyangx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, SKILL.md and the Python script align: the project launches a real browser via Playwright, injects JS to fill fields, reads slider state, simulates a human drag, and submits the MDAC form. There are no unrelated environment variables, binaries, or external services required.
Instruction Scope
Runtime instructions and the script instruct the agent to inject JavaScript into the MDAC site, patch the site's $.ajax to short-circuit /captcha verification, read the slider instance.x coordinate, and simulate mouse movements to pass the CAPTCHA. This behavior is within the stated goal (auto-solving CAPTCHA to submit the form) but is notable because it actively modifies the target site's client-side behavior to bypass bot protections. The instructions do not read or transmit data to third-party endpoints.
Install Mechanism
No install spec in the registry; the README and SKILL.md require installing Playwright and Chromium (pip + playwright install). That is a standard requirement for browser automation and consistent with the skill's function. No arbitrary downloads from unknown hosts are present in the package.
Credentials
The skill declares no required environment variables or credentials. It does require user-supplied traveler data (passport, DOB, email, phone) which is appropriate for the task. The README warns to avoid passing sensitive data on the command line and suggests using a local file with restricted permissions—this is appropriate guidance.
Persistence & Privilege
The skill is user-invocable, not always-enabled, and does not request persistent presence or modify other skills or system-wide settings. It runs Playwright locally and only interacts with the MDAC website in the browser context.
Assessment
What you should consider before installing or running this skill:
- The skill intentionally bypasses the MDAC slider CAPTCHA by patching client-side code and simulating human mouse movement. Although this matches the stated purpose, bypassing CAPTCHAs may violate the target site's terms of service or local laws — proceed only if you accept that risk.
- The script runs a real browser (Playwright + Chromium) locally and injects JS into the official MDAC site; it does not contact third-party servers. Still, review the code yourself if you can and run it on a machine you control.
- Protect your sensitive data: do not pass passport or personal data on the command line (use --file as recommended) and set file permissions (chmod 600). Be aware command-line arguments may appear in process lists and shell history.
- Running automated submissions can lead to IP blocking or other countermeasures by the site. Expect potential rate limits or blocks if used repeatedly.
- If you are unsure about legal or policy implications, consult the MDAC site's terms or local guidance before using an automated bypass.
If you want additional assurance, ask for a line-by-line walkthrough of the script or request that the author replace the CAPTCHA bypass with a user-assisted step (prompt the user to solve the slider manually) to avoid automated evasion.Like a lobster shell, security has layers — review code before you run it.
latestvk976fwa6sndyzr53k14b8zrqfn83gkz8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.