Skillv1.0.1

ClawScan security

Etsy Digital Sales · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 2:28 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions require Etsy OAuth credentials, browser automation (ChromeDriver), and to store API tokens, but the registry metadata declares no required env vars or install steps — that mismatch and the fact the skill is instruction-only (it will generate scripts that will use your credentials) are concerning.
Guidance: Do not install or provide credentials until you are comfortable with how they will be used and stored. Specific points to check before proceeding: - The skill metadata should explicitly list required env vars (ETSY_API_KEY, ETSY_OAUTH_TOKEN, ETSY_OAUTH_SECRET) and any binaries (ChromeDriver) — their absence is a red flag. - Because this is instruction-only (no code shipped), the agent will generate scripts at runtime that will use your Etsy credentials and control a browser; review any generated code before running it and consider running in an isolated/sandbox environment. - Prefer creating OAuth credentials with the minimum scopes necessary and use short-lived tokens or revocable credentials you can rotate. - Ask the author for a trustworthy source/homepage and for an install spec that pins dependencies and shows how ChromeDriver is obtained; if unavailable, treat the skill as higher risk. - If you must try it, do so with a throwaway Etsy account and limited-permission API credentials until you can fully audit the generated automation.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (automating an Etsy digital store) legitimately requires Etsy API keys, OAuth tokens, and browser automation (selenium + ChromeDriver). However the registry metadata lists no required environment variables, no primary credential, and no required binaries — a clear mismatch between what the skill says it needs and what it declares to the platform.
Instruction Scope: concernSKILL.md explicitly instructs obtaining Etsy API Key, ETSY_OAUTH_TOKEN, and ETSY_OAUTH_SECRET and to save them in 'Settings > Advanced', and to use Selenium/ChromeDriver and produce scripts that perform listing, renewal, and review collection. Because this is an instruction-only skill (no shipped code), the agent is expected to generate and run automation that will access those credentials. The instructions do not specify how credentials will be protected, or limit the scope/permissions of the OAuth tokens.
Install Mechanism: noteThere is no install spec (instruction-only), which reduces disk-writable install risk. However SKILL.md requires runtime components (Python 3, selenium, ChromeDriver) but gives no guidance for installing them — a practical and security-relevant omission (user/agent may fetch these ad hoc).
Credentials: concernThe runtime clearly needs sensitive credentials (ETSY_API_KEY, ETSY_OAUTH_TOKEN, ETSY_OAUTH_SECRET), yet the registry metadata lists none and no primary credential. Asking users to place OAuth tokens into agent settings without declaring them is disproportionate and opaque — users should know exactly what secrets are required and how they will be used/stored.
Persistence & Privilege: noteThe skill does not request always:true or other elevated privileges. That said, instructions to save API keys/OAuth tokens in 'Settings > Advanced' imply persistent storage of credentials in the agent environment; the skill provides no guidance about token scope, rotation, or least-privilege, which increases long-term risk if tokens are stored improperly.