Skillv0.0.1

ClawScan security

咸鱼自动发货 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 4:28 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (monitor Xianyu chats and auto-send fulfillment text) matches its instructions, but the runtime instructions rely on accessing the user's browser profile, local secret files, and invoking arbitrary APIs without declaring or limiting those accesses — this mismatch can expose sensitive data if misconfigured.
Guidance: Before installing or enabling this skill, consider the following: (1) It will ask to reuse your main Chrome profile and may read local files (secret pools) or invoke user-specified APIs — only allow this if you trust the exact configuration and understand the data flows. (2) Prefer not to point it at your full Chrome profile; use a dedicated profile with only the necessary Xianyu session if possible. (3) Avoid storing production keys as plaintext files; use a secure credential store or environment variables and document them in the skill metadata. (4) Test in a safe environment with dummy keys and dummy buyer accounts to confirm it sends only intended text. (5) Require explicit confirmation steps or content review before sending secrets to buyers. (6) If you cannot review/run the automation yourself safely, treat this skill as high risk and do not enable scheduled runs that reuse your main session.
Findings: [none] unexpected: The static scanner found no code to analyze (instruction-only skill). Absence of findings is not evidence of safety; the SKILL.md itself contains the runtime actions that determine the security surface.

Review Dimensions

Purpose & Capability: noteName/description match the instructions: monitoring chat, detecting paid orders and sending fulfillment messages. The capabilities requested in SKILL.md (browser automation, reading local files, calling APIs) are plausible for this purpose, but the skill metadata declares no required env/config while the instructions explicitly rely on local Chrome profiles and local secret pools — an omission worth noting.
Instruction Scope: concernThe instructions tell the agent to reuse the main Chrome profile, read local txt key pools (delete lines after use), and call user-provided APIs (curl). Those actions allow access to browser cookies, session tokens, filesystem secrets, and arbitrary network endpoints. There are no safeguards in the prose to prevent accidental exfiltration (e.g., validating destinations or sanitizing output) and little guidance to prevent sending incorrect/secret content to buyers.
Install Mechanism: okThis is instruction-only (no install spec, no code files). That minimizes supply-chain risk because nothing is downloaded or written by an installer step.
Credentials: concernThe skill declares no required env vars or credentials, yet instructs use of a main Chrome profile path and local secret files and external API calls. Those are effectively requests for high-value local secrets and session data but are not represented in the metadata, creating a transparency gap.
Persistence & Privilege: notealways is false (normal). The skill recommends scheduling a recurring cron job that must run in the 'main' session to reuse the browser profile — this increases runtime access to persistent browser credentials. Autonomous invocation is permitted (default), which expands blast radius if misconfigured, but autonomous invocation alone is expected for skills.