ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

立创商城自动化技能

v1.0.0

通过 camoufox-cli 浏览器自动化操作立创商城,完成元器件搜索、查看详情、加入购物车、BOM 配单、PCB/SMT 下单等操作。Use when 用户需要搜索立创商城元器件、查看商品详情、加入购物车、BOM 配单、PCB/SMT 下单、查看订单等立创商城操作。

0· 299·0 current·0 all-time
by@sinky-yan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (automating LCSC via camoufox-cli) is coherent, but the package metadata declares no required binaries while SKILL.md mandates calling /opt/homebrew/bin/camoufox-cli. That is an internal inconsistency: the skill will not work unless that binary exists, yet the registry metadata did not declare it as a dependency. The absolute path implies macOS/homebrew and may not exist on target systems.
!
Instruction Scope
Instructions cover realistic site actions (open, click, fill, upload) but also expose broad capabilities: eval (arbitrary JS execution in page context), cookies import/export, screenshot/pdf (capture page contents), and file upload. These are useful for automation but also capable of reading or transmitting sensitive page content, session cookies, or local files if misused. The SKILL.md gives no constraints or safeguards on using these powerful commands.
Install Mechanism
This is an instruction-only skill with no install spec, so nothing is written to disk by the skill itself. That is lower risk. The caveat is the skill depends on an external binary (/opt/homebrew/bin/camoufox-cli) which the SKILL.md expects to exist, but that dependency was not declared in the registry metadata.
Credentials
No environment variables or credentials are requested by the skill, which is proportionate. However, browser automation inherently relies on browser sessions/cookies and user-provided files (for PCB/SMT uploads). The SKILL.md references cookie import/export and file upload operations — these imply access to session credentials and local files even though no env vars were declared.
Persistence & Privilege
The skill does not request always-on presence and does not declare modifications to other skills or system-wide settings. It appears to operate only when invoked.
What to consider before installing
This skill is plausible for automating LCSC but has two things to check before installing: (1) ensure the camoufox-cli binary it calls is legitimate and installed at the exact path /opt/homebrew/bin/camoufox-cli (the registry metadata failed to declare this dependency), and (2) understand that the documented commands (eval, cookies import/export, file upload, screenshots) can access or capture sensitive data from web sessions and local files. Only use this with a trusted camoufox-cli binary, avoid running it while logged into sensitive accounts, and test in an isolated account or environment. If you need more assurance, ask the publisher for the camoufox-cli origin and why the dependency was not declared in the skill metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk9746rdwep7bdkv4xyd4cb6cjh82r2rm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔌 Clawdis

Comments