ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

scut-review-monitor

v1.0.2

Check or monitor the SCUT thesis blind-review status page through the graduate portal and refresh cookies through a local Python helper.

0· 24·0 current·0 all-time
bySong Xianfeng@songxf1024
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, config.json, and portal_monitor.py are consistent: the script logs into the SCUT portal via Playwright, saves cookies locally, polls a target page XPath, and sends notifications to user-configured endpoints. There are no unrelated credentials or unexpected external services required by the declared purpose.
Instruction Scope
Runtime instructions only ask the agent/user to run the local Python helper with specific commands (login, check-once, monitor) and to edit the bundled config.json. The SKILL.md explicitly warns not to echo secrets and not to run background daemons silently. The script reads/writes only its own config and cookie files and interacts with the portal and configured notification endpoints, which fits the stated scope.
Install Mechanism
There is no registry install spec, but the script expects Python packages (requests, lxml, playwright) and will attempt to auto-install Chromium via `python -m playwright install chromium` if Playwright reports the browser is missing. That will download browser binaries at runtime. You should install dependencies in a controlled environment (virtualenv) and be aware of the automatic browser download behavior.
Credentials
The skill does not request environment variables or unrelated secrets. Notification configuration is stored in config.json (notify_url, notify_target, notify_key, serverchan_sendkey) which is reasonable for its notification feature. One caveat: DEFAULT_CONFIG in the code contains a hardcoded notify URL/IP and target values (an IP: 14.103.144.178 and an example target). The bundled config.json currently contains placeholders, so the hardcoded DEFAULT_IP is unlikely to be used unless config.json omits notify settings — still, it's worth verifying and replacing notification endpoints/keys with your own before use.
Persistence & Privilege
The skill does not request 'always: true' or modify other skills or agent-wide settings. It will write its own cookie file and config file (or require you to create them), and it may install a browser binary — these are local effects aligned with its purpose.
Assessment
This skill appears to do what it says: interactively log into the SCUT graduate portal via a local Chromium browser, save cookies, poll a page XPath, and notify you when the watched text changes. Before installing or running it: 1) Inspect and edit the included config.json — especially notify_url/notify_target/notify_key — and replace placeholders with your own notification endpoints; do not leave notification endpoints pointing to unknown IPs. 2) Run the script in a contained Python virtualenv and install requirements yourself (pip install -r requirements.txt) so you control package sources. 3) Be aware the script may download Chromium at runtime when Playwright is missing. 4) The script stores cookies in a local cookies.json file — treat that file as sensitive. 5) If you want continuous/background monitoring, run it under a supervisor you control (systemd/cron) as recommended; do not allow silent, indefinite background runs without your approval.

Like a lobster shell, security has layers — review code before you run it.

latestvk97007d3vmbdncet9hckdhc22s851p7r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments