ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

page-behavior-audit

v1.0.7

Deep behavioral audit with hashed policy (CSP-compliant, no plaintext badwords)

0· 1.4k·0 current·0 all-time
by@youdaolee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared functionality (browser automation, content-policy checks, HAR/screenshot exports, WeCom alerts) matches the actions defined in skill.yaml and SKILL.md. However registry metadata at the top of the report claimed no required env vars while both SKILL.md and skill.yaml declare two required env vars (WECOM_WEBHOOK_URL and OPENCLAW_AUDIT_DIR). This mismatch is a packaging/information-coherence issue and could confuse users about needed configuration.
!
Instruction Scope
Runtime steps perform browser navigation to arbitrary user-provided URLs, extract up to 10k characters of page text, capture links, save screenshots and HAR files, and (on critical findings) send the aggregated report (including alerts and extracted data) to the configured WeCom webhook. These instructions are within an auditor's scope but explicitly transmit scraped page content to an external endpoint; that data flow is sensitive and should be treated cautiously.
Install Mechanism
There is no remote download; install.sh is a local installer that copies skill.yaml into an OpenClaw skills directory and creates an audit directory. It supports a --system mode that will use sudo and write under /etc and /var. The installer does not fetch code from external URLs, which reduces supply-chain risk, but running it in system mode grants filesystem write capability and will create/own audit directories system-wide.
!
Credentials
Required env vars (WECOM_WEBHOOK_URL and OPENCLAW_AUDIT_DIR) are consistent with the described notification and storage features. However the webhook is used to transmit the full aggregated report (template data includes json .steps.aggregate-report.output), which can contain extracted page text, links, redirects, and possibly HAR metadata. If the webhook endpoint is untrusted or replaced with an attacker-controlled URL, this provides a clear exfiltration channel. Also the policy signature and verification_url look like placeholders and cannot be validated from the packaged files.
Persistence & Privilege
The skill does not request always:true and does not modify other skills' configs. The installer can write to system directories when run with --system (requires sudo). The .claude/settings.local.json included grants several Bash-related permissions (e.g., Bash(bash:*)) which is unusual in a skill bundle and should be reviewed; it suggests local tooling may run shell commands during development or verification.
What to consider before installing
This skill is plausibly a page-auditor but has several red flags you should address before installing: 1) Packaging mismatch — the registry metadata claims no required env vars, but SKILL.md and skill.yaml require WECOM_WEBHOOK_URL and OPENCLAW_AUDIT_DIR; confirm requirements with the author. 2) Data exfiltration risk — alerts send the aggregated report (which may contain up to 10k chars of page text, links, redirects, HAR/screenshot paths) to the configured WeCom webhook. Only set WECOM_WEBHOOK_URL to a trusted internal webhook; for initial testing use a disposable/internal sink. 3) Signature/verification placeholders — the policy signature and verification_url appear not verifiable from the bundle; if policy integrity is important, ask for a real signing key and verification endpoint. 4) Installer privileges — install.sh can copy files under system paths when run with --system; avoid running as root unless you trust and have reviewed the package. 5) Local permissions file — .claude/settings.local.json contains broad Bash permissions; confirm why shell execution is needed and remove/lock down unneeded permissions. Recommended actions: review skill.yaml and SKILL.md in full, run the skill in an isolated environment (container or VM) against non-sensitive targets, set OPENCLAW_AUDIT_DIR to an isolated directory, use a safe/test webhook for alerts, and verify the policy signature/verification process with the maintainer before using on production targets.

Like a lobster shell, security has layers — review code before you run it.

latestvk970vnpzx8mgfsrhtqwbe1pheh80ztkf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis

Comments