v1.0.0

Google Research Pro

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:05 AM.

Analysis

Review recommended because this instruction-only skill asks the agent to run an unbundled local Python/Playwright script to bypass Google bot checks and post results to Telegram.

GuidanceInstall only if you understand and trust the referenced local script, are comfortable with Playwright-based Google automation, and have configured a Telegram destination and credentials that you control.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

SKILL.md

Command: python C:\Users\Admin\OneDrive\Desktop\LearnOpCL\bot.py "{keyword}"

The skill directs the agent to execute a local Python file that is not part of the provided instruction-only artifact, with user input passed as an argument.

User impactInstalling users could cause their agent to run unreviewed local code with the user's permissions.

RecommendationOnly install after the referenced script is bundled or otherwise reviewed, provenance is clear, and execution is gated by explicit user approval.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Performs advanced Google searches using Playwright to bypass bot detection

The stated mechanism is to evade an external service's bot-detection controls using browser automation, with no clear rate limits or guardrails.

User impactThis could violate service rules, trigger blocking or account/IP penalties, or behave in ways the user did not intend from a normal search helper.

RecommendationPrefer official search APIs or documented, rate-limited browsing workflows, and avoid bot-detection bypass behavior.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Use environment variables or a secure vault for sensitive data (e.g., Telegram bot token, Google account credentials if needed).

The skill anticipates possible use of Telegram or Google credentials, but the registry declares no credential or env-var contract.

User impactUsers may need to provide account credentials without clear scope or permission boundaries in the metadata.

RecommendationUse least-privilege tokens, avoid personal Google credentials where possible, and document any required env vars before installation.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

Sends the formatted summary to the specified Telegram channel ... Destination: Telegram channel/user ID

Telegram delivery is disclosed and purpose-aligned, but it sends query-derived output to an external messaging destination.

User impactSearch topics and summarized results may be visible outside the local agent environment, depending on the configured Telegram channel.

RecommendationUse only a trusted Telegram destination and review content before posting if queries or results may be sensitive.