Skillv1.0.0

ClawScan security

Capture Website · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 4:21 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (taking website screenshots) matches the instructions, but there are several inconsistencies and omissions (missing install/binary declarations, a hard-coded user path, and vague send/upload steps) that could lead to unexpected behavior or data exposure.
Guidance: This skill is plausible for taking screenshots, but it has gaps and assumptions you should address before installing or allowing it to run: 1) The SKILL.md requires 'npm install -g capture-website-cli' but the skill metadata doesn't declare node/npm—confirm that installing a global npm package is acceptable and verify the package source (review the npm package and its maintainer). 2) The instructions use a hard-coded path (/home/aaronz/.openclaw/workspace/) — ensure the skill will use a sandboxed or canonical workspace path rather than assuming another user's home directory. 3) The README mentions sending via Discord/Feishu but doesn't declare or request tokens; confirm what messaging tool the agent will actually use and how credentials are provided/secured to avoid unintended data exfiltration. 4) Be aware a screenshot tool will fetch arbitrary URLs; if your agent can access internal networks, this could be used to capture internal pages (SSRF-like data exposure). 5) Prefer an explicit install spec (or containerized runtime) and explicit required binaries/permissions in the skill metadata. If you rely on this skill, ask the author to: add required binaries (node/npm), include an install specification or trusted source for the CLI, remove hard-coded paths in favor of workspace variables, and declare any message-sending credentials and their intended use. If you cannot verify the CLI package or these changes, treat execution as higher risk.

Review Dimensions

Purpose & Capability: noteThe stated purpose (capture website screenshots) aligns with the SKILL.md which instructs using capture-website-cli. However the skill metadata lists no required binaries or env vars even though the instructions explicitly require npm and a globally installed npm package. Also the description mentions sending via Discord/Feishu but no messaging credentials or APIs are declared.
Instruction Scope: concernRuntime instructions tell the agent to run arbitrary capture-website commands and write files to a hard-coded path (/home/aaronz/.openclaw/workspace/). The flow also says 'Send via message tool with filePath' but provides no detail about which tool, how credentials are acquired, or where data is transmitted. The ability to fetch arbitrary URLs (normal for a screenshot tool) means the agent could access internal network resources if allowed—this should be explicit. The hard-coded username/path is concerning because it may not exist for other users and could reveal or assume a specific environment.
Install Mechanism: concernThere is no install spec in registry metadata, but SKILL.md requires 'npm install -g capture-website-cli'. That implies relying on npm and global installs from the public registry. The skill should have declared required binaries (node/npm) and an install spec or trusted source; absent that, the installer behavior is unspecified and the global npm install may be undesirable or unsafe.
Credentials: noteThe skill declares no environment variables or credentials, yet the README mentions sending screenshots via Discord/Feishu — operations that typically require API tokens. The omission is disproportionate: either the skill should not perform sending, or it should declare required credentials and explain how they are used. Current instructions assume the agent has some messaging capability without specifying its access model.
Persistence & Privilege: okThe skill does not request always:true or elevated presence. It's instruction-only and has no install spec in metadata, so it does not request persistent system-wide changes in the registry data. Autonomous invocation remains enabled by default, which is standard and not itself a new concern here.