ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Webperf

Web performance measurement and debugging toolkit. Use when the user asks about web performance, wants to audit a page, or says "analyze performance", "debug...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 114 · 0 current installs · 0 all-time installs
by@nucliweb
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the runtime instructions: the skill is meant to run JavaScript snippets in Chrome DevTools to audit web performance. However, the SKILL.md advertises a collection of 47 snippets and multiple sub-skills, but the skill package contains no snippet code or included assets — only the SKILL.md. It's unclear where the agent is expected to obtain the snippet source (the README points to a GitHub repo, but the skill provides no install/fetch step).
!
Instruction Scope
Instructions explicitly direct the agent to use MCP actions (mcp__chrome-devtools__navigate_page, evaluate_script, get_console_message) to run snippets in the target page — this is coherent for a webperf tool. The concern: the SKILL.md tells the agent to "load the skill's skill.md to see available snippets and thresholds," but the packaged SKILL.md does not contain the snippets themselves nor instructions to fetch them from the referenced repository. Running arbitrary JS in a user's page can expose page data; the skill gives the agent freedom to evaluate scripts but doesn't include or vet those scripts.
Install Mechanism
No install specification and no code files are present. That minimizes the risk of arbitrary code being written to disk by the installer. Because this is instruction-only, there is nothing to download or extract at install time.
Credentials
The skill requests no environment variables, credentials, or config paths. There are no unexpected secrets or external service tokens required.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent or elevated privileges. Autonomous invocation is allowed by default but not combined here with other high-risk requirements.
What to consider before installing
This skill appears to be a set of DevTools snippets for auditing web performance, and it instructs the agent to run scripts in the browser via MCP — that is expected behavior. However, the package does not include the actual snippets it advertises; the SKILL.md references a GitHub repository but provides no automated fetch or included script content. Before using it: (1) verify where the snippet code will come from (inspect the referenced GitHub repo yourself), (2) only run snippets you trust or review the code before evaluating on real sites, and (3) avoid running the snippets on pages containing sensitive data (logged-in sessions, payment pages, etc.), since arbitrary console scripts can read page content and potentially exfiltrate it. If the skill is intended to fetch scripts from the repo automatically, ask the maintainer to add explicit fetch/install steps and include vetted snippets in the package so you can audit them.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk97fkdnw4trne2690jr55m973x82qtmh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

WebPerf Snippets Toolkit

A collection of 47 JavaScript snippets for measuring and debugging web performance in Chrome DevTools. Each snippet runs in the browser console and outputs structured, color-coded results.

Skills by Category

SkillSnippetsUse when
webperf-core-web-vitals7Intelligent Core Web Vitals analysis with automated workflows and decision trees
webperf-loading28Intelligent loading performance analysis with automated workflows for TTFB investigation (DNS/connection/server breakdown), render-blocking detection, script performance deep dive (first vs third-party attribution), font optimization, and resource hints validation
webperf-interaction8Intelligent interaction performance analysis with automated workflows for INP debugging, scroll jank investigation, and main thread blocking
webperf-media3Intelligent media optimization with automated workflows for images, videos, and SVGs
webperf-resources1Intelligent network quality analysis with adaptive loading strategies

Quick Reference

User saysSkill to use
"debug LCP", "slow LCP", "largest contentful paint"webperf-core-web-vitals
"check CLS", "layout shifts", "visual stability"webperf-core-web-vitals
"INP", "interaction latency", "responsiveness"webperf-core-web-vitals
"TTFB", "slow server", "time to first byte"webperf-loading
"FCP", "first contentful paint", "render blocking"webperf-loading
"font loading", "script loading", "resource hints", "service worker"webperf-loading
"jank", "scroll performance", "long tasks", "animation frames", "INP debug"webperf-interaction
"image audit", "lazy loading", "image optimization", "video audit"webperf-media
"network quality", "bandwidth", "connection type", "save-data"webperf-resources

Workflow

  1. Identify the relevant skill based on the user's question (use Quick Reference above)
  2. Load the skill's skill.md to see available snippets and thresholds
  3. Execute with Chrome DevTools MCP:
    • mcp__chrome-devtools__navigate_page → navigate to target URL
    • mcp__chrome-devtools__evaluate_script → run the snippet
    • mcp__chrome-devtools__get_console_message → read results
  4. Interpret results using the thresholds defined in the skill
  5. Provide actionable recommendations based on findings

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…