Skillv1.0.1

ClawScan security

Fiverr Gig Automation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 2:28 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description (browser automation using Selenium) is plausible, but the package is instruction-only and inconsistent: it asks you to store Fiverr credentials in settings, references code files and dependencies that are not provided, and gives no install or provenance—this mismatch and the credential handling are concerning.
Guidance: This skill purports to automate Fiverr via browser automation but is instruction-only and provides no code or install provenance. Before installing or providing any Fiverr credentials: 1) Do not paste your Fiverr password into this skill's settings unless you can verify the code and trust the author. 2) Request the missing items from the publisher: the actual scripts/configs, an install spec (how to install Selenium/ChromeDriver), and a clear explanation of where credentials are stored and how they're protected. 3) Consider account risk: automated messaging/offer-sending and scraping can violate Fiverr Terms of Service and lead to suspension. 4) Prefer API- or OAuth-based integration where available instead of storing passwords. 5) If you must test, do so with a throwaway Fiverr account and review the actual code first. Providing the missing code, a vetted install source, and a secure credential-handling design would materially reduce the concern.

Review Dimensions

Purpose & Capability: concernThe skill claims to automate Fiverr via browser automation (Selenium/ChromeDriver) which matches the stated capability. However, the registry lists no required env or files while SKILL.md instructs storing FIVERR_EMAIL/FIVERR_PASSWORD/FIVERR_USERNAME in Settings and promises several scripts/config files that are not present. Asking for raw Fiverr credentials and promising to 'create gigs' and 'manage inbox' is coherent with the goal but the absence of any provided code or declared credential requirements is inconsistent and unexplained.
Instruction Scope: concernSKILL.md explicitly instructs storing login credentials in Settings and describes browser automation actions (create gigs, send offers, reply to inbox, request reviews, scrape earnings). Those actions require access to user credentials and to the account data. The instructions also reference specific deliverable scripts and a config file that are not actually included. The instructions are therefore overbroad relative to what the package actually provides and grant the agent discretion to access and act on user account data.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing will be written or downloaded by default. SKILL.md, however, lists runtime dependencies (Python 3, selenium, requests) and ChromeDriver. This creates a practical installation requirement that is not captured in the registry and could fail at runtime; it also leaves unspecified how ChromeDriver and Selenium would be obtained and how versions/paths are managed.
Credentials: concernThe skill asks users to save FIVERR_EMAIL, FIVERR_PASSWORD, and FIVERR_USERNAME in Settings but the registry declares no required credentials or primaryEnv. Requiring plaintext Fiverr credentials is high-risk and should be explicitly declared and justified; the SKILL.md gives no guidance on secure storage, least privilege, or alternatives (OAuth/API). The amount and sensitivity of data requested (account password) is disproportionate without code to review or provenance to trust.
Persistence & Privilege: noteThe skill is not set to always:true and is user-invocable, which is normal. However, it requests persistent storage of account credentials in Settings (not part of the declared metadata), which increases its effective privilege if the platform stores those values and the skill can read them later. The skill does not declare modifying other skills or system-wide settings.