Back to skill
Skillv1.0.0
ClawScan security
Hauscout · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 4, 2026, 12:09 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The SKILL.md describes a web-crawl → AI → DB pipeline, but its runtime instructions reference local paths, an environment file and secrets (DATABASE_URL, likely an OpenAI API key and git credentials) that are not declared in the skill metadata — that mismatch is concerning.
- Guidance
- Do not run this skill blindly. Before installing or executing: 1) Inspect the repository files (especially scripts/collect.ts, package.json) to see exactly which secrets and APIs it uses (DATABASE_URL, OPENAI_API_KEY or similar), what network calls it makes, and whether it actually contains Playwright/browser automation. 2) Expect to supply a DATABASE_URL and likely an OpenAI/API key and git credentials — verify those are only used for the declared purpose. 3) Because the SKILL.md uses an absolute user path, either run it from a controlled copy in an isolated environment (VM/container) or update paths to a safe workspace. 4) Review and test in a sandbox (no production DB), and confirm compliance with HouseSigma's terms of service and rate limits. 5) If you cannot inspect the underlying scripts or the author cannot justify the undeclared credentials and the use of absolute paths, avoid installing — the metadata/instructions mismatch makes the skill suspicious.
Review Dimensions
- Purpose & Capability
- concernThe described purpose (crawl HouseSigma, analyze with an LLM, store into Neon Postgres) matches the instructions, but the skill metadata declares no required env vars/credentials while the instructions explicitly require a DATABASE_URL (via .env.local) and implicitly require API credentials for AI calls and git push credentials. The absence of those declarations is incoherent.
- Instruction Scope
- concernSKILL.md directs the agent to run commands in a user-specific absolute path (/Users/kendrick/projects/hauscout), run Playwright to visit external sites, extract DOM text, write summary files under memory/YYYY-MM-DD.md, and git commit & push. It also shows a DB-check snippet that expects .env.local. These actions read/write local files, network resources, and potentially push to remote git — broader scope than the metadata implies.
- Install Mechanism
- noteThere is no install spec (instruction-only), which is low risk in itself. However the instructions assume a Node/TS environment (npx tsx), Playwright, and database/ORM packages are present. The skill will fail or behave differently unless those dependencies exist, and those dependencies could pull in binaries (Playwright browsers) when installed.
- Credentials
- concernMetadata lists no required env vars, but the SKILL.md uses process.env.DATABASE_URL (via .env.local) and references GPT-4o-mini analysis (which typically requires model/API credentials). It also triggers git push which requires git remote credentials. Requesting database and API credentials would be proportionate to the task, but they must be declared — the omission is a red flag.
- Persistence & Privilege
- notealways:false and model invocation not disabled (normal). The skill does not request permanent platform-level privileges, but it does mutate local state (writes memory/*.md, database writes, git commits/pushes). That local persistence is expected for the stated purpose but should be made explicit in metadata and user consent prompts.