ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Church Account

v1.0.0

Automate tasks on churchofjesuschrist.org and LCR (Leader & Clerk Resources). Use when logging into LDS church accounts, looking up ward/stake rosters, manag...

0· 545·1 current·1 all-time
by@nathan-deepmm
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and SKILL.md are coherent: both describe automating churchofjesuschrist.org/LCR tasks via a browser automation flow. However, the skill fails to declare the real runtime requirements (Python, Playwright, playwright-stealth, and a Chromium browser), which is an inconsistency.
!
Instruction Scope
Instructions explicitly tell the agent how to perform OAuth login, manage sessions, and persist storage_state (auth tokens) to disk. They also recommend using playwright-stealth and pass browser args including --no-sandbox and --disable-blink-features=AutomationControlled to avoid detection. Saving storage_state and cookies to /tmp and using stealth flags broaden the sensitive scope and weaken sandbox protections; the instructions give the agent discretion over sensitive items without safe-handling specifics.
Install Mechanism
There is no install spec (instruction-only), which minimizes installer risk, but the runtime code requires Playwright, playwright-stealth, and Chromium. Those are not declared in metadata; a user would need to install them manually. The absence of an install spec plus required binaries is an operational mismatch to be aware of.
!
Credentials
SKILL.md expects credentials (USERNAME, PASSWORD) and suggests storing them in a vault or env vars, but requires.env and primary credential are empty. Sensitive artifacts (storage_state JSON) are written to /tmp with no guidance on encryption/permissions. Requesting credential usage without declaring them is disproportionate and risky.
Persistence & Privilege
The skill does not request always:true nor modify other skills. It does instruct saving persistent session state and cookies to disk which is normal for session reuse but creates long-lived sensitive artifacts; treat these files as secrets and protect them appropriately.
What to consider before installing
This skill appears to be what it says (automating LDS/LCR website tasks) but it has several red flags you should consider before installing or running it: - Missing declarations: The SKILL.md expects Python, Playwright, playwright-stealth, and a Chromium browser but the skill metadata lists no required binaries or install steps. Verify and install these dependencies from official sources yourself rather than trusting an unknown installer. - Credentials handling: The code expects USERNAME and PASSWORD but the skill does not declare required environment variables. Do not put credentials into plaintext env variables or world-readable /tmp files. Use a secure password vault and inject secrets at runtime if possible. - Sensitive persistence: The skill saves storage_state (auth tokens/cookies) to disk. Those files are equivalent to logged-in sessions—store them encrypted, restrict file permissions, and delete when no longer needed. - Sandbox/stealth flags: The recommended browser arguments include --no-sandbox and stealth techniques intended to evade detection. --no-sandbox reduces process isolation and increases risk if you run this on a shared or untrusted host. Prefer running automation in an isolated, single-tenant environment (e.g., a disposable VM or container) and avoid --no-sandbox unless you understand the risk. - Source trust: The source/homepage is unknown. Only run this skill if you trust the author or can inspect and control the code that will run. If you plan to use it, prefer copying the provided code into a controlled repo, lock dependencies to known good versions, and review any third-party libraries (playwright-stealth implementations can be unvetted). If you want to proceed safely: obtain the dependencies from official registries, run the automation in an isolated container/VM, keep credentials in a vault and inject at runtime, secure storage_state files, and remove or avoid using --no-sandbox and other flags that weaken sandboxing.

Like a lobster shell, security has layers — review code before you run it.

latestvk977zft8ae5ep84t4gjfqamvsd81ba2q
545downloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0
@nathan-deepmm
latest
Download

Church Account (LDS/LCR)

Automate login and tasks on churchofjesuschrist.org.

Login

OAuth Flow

The church uses OAuth via id.churchofjesuschrist.org. Any protected page redirects to login:

  1. Enter username → click Next
  2. Enter password → click Verify
  3. Redirects back to target page with session cookies

No MFA or CAPTCHA is typically required. Playwright + playwright-stealth handles it cleanly.

Credentials

Store in a password vault or environment variables:

  • Username (church account email or membership ID)
  • Password

Login with Playwright

import asyncio
from playwright.async_api import async_playwright
from playwright_stealth import Stealth

async def login(target_url="https://lcr.churchofjesuschrist.org", cookies_path="/tmp/church_cookies.json"):
    async with async_playwright() as p:
        browser = await p.chromium.launch(
            headless=True,
            args=["--no-sandbox", "--disable-blink-features=AutomationControlled", "--disable-dev-shm-usage"]
        )
        context = await browser.new_context(
            viewport={"width": 1920, "height": 1080},
            user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 ..."
        )
        page = await context.new_page()
        await Stealth().apply_stealth_async(page)
        await page.goto(target_url)

        # Enter username
        await page.fill('input[name="identifier"]', USERNAME)
        await page.click('button[type="submit"]')

        # Enter password
        await page.wait_for_selector('input[type="password"]')
        await page.fill('input[type="password"]', PASSWORD)
        await page.click('button[type="submit"]')

        # Wait for redirect
        await page.wait_for_url(f"{target_url}/**", timeout=30000)

        # Save session
        await context.storage_state(path=cookies_path.replace('.json', '_state.json'))
        await browser.close()

Reusing a Session

After login, use saved storage state to skip re-authentication:

context = await browser.new_context(
    storage_state="/tmp/church_cookies_state.json",
    viewport={"width": 1920, "height": 1080},
    user_agent="Mozilla/5.0 ..."
)
page = await context.new_page()
await Stealth().apply_stealth_async(page)

Key URLs

ServiceURL
LCR (Leader & Clerk Resources)https://lcr.churchofjesuschrist.org
Ward Directoryhttps://directory.churchofjesuschrist.org
Calendarhttps://www.churchofjesuschrist.org/calendar
Donationshttps://donations.churchofjesuschrist.org
Temple Reservationshttps://tos.churchofjesuschrist.org
My Homehttps://www.churchofjesuschrist.org/my-home
Account Settingshttps://id.churchofjesuschrist.org/account

LCR Sections

After login, LCR provides access to:

  • Membership — member records, move-in/out, new members
  • Callings — current callings, sustaining, setting apart
  • Ministering & Welfare — assignments, needs
  • Finance — tithing settlement, budget, donations
  • Missionary — full-time and ward missionaries
  • Temple — recommend status, temple activity
  • Reports — attendance, quarterly reports

Tips

  • Login sessions persist via cookies — no need to re-login every request
  • Headless Chrome with playwright-stealth avoids detection
  • Storage state files contain auth tokens — treat as sensitive

Comments

Loading comments...