Back to skill
Skillv1.0.0
ClawScan security
Wadiz DM Pipeline · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 20, 2026, 6:15 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code matches its stated purpose (scrape Wadiz/Tumblbug and generate personalized DMs), but the package metadata omits the required Anthropic API credential and the runtime will send scraped project text to a third‑party LLM service — a discrepancy worth caution before installing.
- Guidance
- Before installing or running: (1) Be aware the script scrapes project titles/descriptions and will send that text to Anthropic if you supply ANTHROPIC_API_KEY — consider privacy and whether you want scraped maker content transmitted to a third party. (2) The package manifest omits the required ANTHROPIC_API_KEY; the code will ask you to set it (export ANTHROPIC_API_KEY='sk-...'). Treat that key as sensitive — use a dedicated/revocable key and revoke it if you stop using the skill. (3) The SKILL.md asks you to run locally (Mac) — follow that: running on a public server could increase blast radius. (4) Review the included scripts (pipeline.py) yourself or run in an isolated environment before giving any credentials. (5) Consider legal/ethical implications of scraping and sending unsolicited DMs to makers; ensure compliance with site Terms of Service and local regulations. If you want a lower-risk test, run without ANTHROPIC_API_KEY to use the local fallback template (no external API calls).
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (crawl Wadiz/텀블벅 projects and produce personalized DMs) matches the included script: it scrapes category pages, filters projects with 50–99% funding, extracts detail text, and generates DMs. However, the registry metadata declares no required environment variables or primary credential while the script requires an ANTHROPIC_API_KEY to perform personalized DM generation. The need for an LLM API key is coherent with the stated purpose, but its absence from metadata is an inconsistency.
- Instruction Scope
- noteSKILL.md explains local execution and Playwright requirements and the script implements only crawling, local CSV output, and DM generation. Important scope note: when an ANTHROPIC_API_KEY is present the script transmits scraped project title/description to Anthropic's API to generate DM text — SKILL.md does not explicitly call out that scraped content will be sent to a third party (though the script prints a prompt showing that behavior). The script does not attempt to read unrelated local files or system credentials.
- Install Mechanism
- okThere is no install spec (instruction-only skill plus a Python script). Installation risk is low: dependencies are standard Python packages (playwright, anthropic) installed via pip per the README. No remote binary downloads or archive extraction were specified.
- Credentials
- concernThe script requires ANTHROPIC_API_KEY (used to call Anthropic's API), which is appropriate for LLM-powered DM generation — but the registry metadata lists no required env vars or primary credential. That mismatch is a meaningful incoherence: the skill will prompt you to provide a (sensitive) API key at runtime but did not declare it in its manifest. No other unrelated credentials are requested.
- Persistence & Privilege
- okThe skill does not request permanent 'always' inclusion, does not modify other skills or system-wide settings, and writes output only to an output/ CSV in the skill folder. It does open a browser in headful mode (headless=False) which will display UI on the host.