ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

sg-property-scraper

v1.0.1

Search Singapore property rental and sale listings with flexible filters. Use when asked to search Singapore properties, find rental or sale listings, check...

0· 641·0 current·0 all-time
by@5kbpers
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included script and documentation. Required binary (python3) and the declared primary credential (GOOGLE_MAPS_API_KEY) align with the stated functionality (scraping + optional commute calculation). Minor note: the SKILL metadata marks GOOGLE_MAPS_API_KEY as the primaryEnv even though the README/SKILL.md say the key is optional (only required when --commute-to is used). This is explainable but worth noting.
Instruction Scope
SKILL.md instructs the agent to run the included scraper and to use --json/--dry-run flags; it does not ask the agent to read unrelated files or exfiltrate data. The scraper code includes an impersonation profile (IMPERSONATE_PROFILE = "safari17_2_ios") intended to make requests appear like a browser and help bypass Cloudflare/anti-bot measures — this is within the scraper's purpose but is a behaviour the user should be aware of (it may violate some sites' terms of service or local law/policy).
Install Mechanism
There is no automated install spec (instruction-only skill + script), so nothing is fetched or executed at install time. The README/SKILL.md ask the user to pip-install a small set of Python libraries (curl_cffi, beautifulsoup4, lxml) which is proportionate to a web-scraper.
Credentials
No required environment variables are listed and the only credential declared is GOOGLE_MAPS_API_KEY, which is used solely for optional commute time calculations via Google Routes API. The credential request is proportional to the feature it enables. Confirm that you only provide a key with the minimal required API permissions (Routes API) and do not supply other unrelated secrets.
Persistence & Privilege
The skill does not request always: true and does not indicate system-wide persistence or modification of other skills. It is a run-once script invoked by the agent; no elevated platform privileges are requested.
Assessment
This skill appears to do what it claims: scrape PropertyGuru listings and optionally compute commute times via the Google Routes API. Before installing or running it: 1) Review the script source yourself (or run it in an isolated environment) to confirm there are no unexpected network endpoints or data exfiltration — the included code appears to target propertyguru.com.sg and Google only. 2) Be aware the scraper uses an impersonation profile to evade anti-bot protections — this can violate a target site's terms of service and, in some contexts, be legally or ethically problematic. 3) Only provide a Google Maps API key if you need commute calculations; scope the key to the minimum APIs (Routes) and monitor usage. 4) Install required Python packages into a virtualenv, and consider rate-limiting requests (respect robots.txt / site policies). If you need the agent to run the skill autonomously and are concerned about remote requests or ToS, either restrict autonomous invocation or use the --dry-run option to preview generated URLs before scraping.

Like a lobster shell, security has layers — review code before you run it.

latestvk9777rhtc7sgv4j3w78a14kr9981de2h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
Primary envGOOGLE_MAPS_API_KEY

Comments