salesman-recommender
ReviewAudited by ClawScan on May 14, 2026.
Overview
The skill matches its stated influencer-search purpose, but it logs into a merchant account, keeps a persistent browser session, and uses under-disclosed stealth browser automation, so it should be reviewed before use.
Before installing, confirm that automated access to Jingxuan Alliance is allowed for your account, use a dedicated/least-privilege account if possible, do not provide credentials unless you trust the script, and remove the persistent browser profile when finished if you do not want the session retained.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you log in or provide credentials, the account session may remain usable by future runs from the same machine/profile.
The script creates a persistent browser profile in the user's home directory so Jingxuan login cookies survive between runs. SKILL.md also supports email/password auto-login, while registry metadata declares no primary credential.
USER_DATA_DIR = os.path.join(os.path.expanduser('~'), '.daren_searcher_chrome_profile') ... chrome_options.add_argument(f'--user-data-dir={self.USER_DATA_DIR}') ... cookie 将跨会话保留Use a dedicated least-privilege account if possible, avoid sharing passwords with the skill, and delete ~/.daren_searcher_chrome_profile when you no longer want the session retained.
Your account could be used in a way the provider may treat differently from normal browsing, potentially risking login challenges or account enforcement.
These Selenium options suppress browser automation indicators. Browser automation is central to the skill, but this stealth behavior is not disclosed in SKILL.md and may bypass site controls or increase account-policy risk.
chrome_options.add_experimental_option('excludeSwitches', ['enable-automation']) ... chrome_options.add_experimental_option('useAutomationExtension', False) ... chrome_options.add_argument('--disable-blink-features=AutomationControlled')Only use this with accounts and sites where automation is permitted, and consider removing automation-hiding flags unless they are explicitly needed and approved.
The skill captures data from the logged-in page's API responses and processes it locally for export.
The script injects JavaScript into the browser page to intercept the seekAuthor API response. This is consistent with the stated Excel-export workflow, but users should know code runs inside the logged-in web session.
self.driver.execute_cdp_cmd('Page.addScriptToEvaluateOnNewDocument', {'source': interceptor_code})Run it only for data you are allowed to access/export, and review the output file before sharing it.
Future installs could use newer dependency versions with different behavior or vulnerabilities.
The dependencies are standard for browser automation and Excel output, but the version ranges are not pinned, so installations may resolve to different package versions over time.
selenium>=4.15.0 pandas>=2.0.0 openpyxl>=3.1.0
Install from trusted package indexes and consider pinning dependency versions in a lockfile before production use.