v1.0.0

sf-scrapper

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:16 AM.

Analysis

This skill is coherent, but it should be reviewed because it deliberately uses your logged-in SAP SuccessFactors Chrome session to scrape sensitive employee profile data, including batches.

GuidanceBefore installing, confirm that you are allowed to use an agent to access SuccessFactors data through your logged-in browser session. Use it only for specific, authorized employee lookups, avoid broad batch requests, and do not return more employee personal data than needed.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

SKILL.md

If user provides multiple employee IDs, iterate through each one sequentially using the same workflow. Collect results and present as a table.

Batch browser automation is disclosed and aligned with the purpose, but it can bulk-collect HR profile data without stated quantity limits or a separate confirmation step.

User impactA broad request could cause the agent to gather many employees' profile details from the live HR system.

RecommendationUse small, explicit batches and require clear user confirmation before collecting or presenting multiple employees' details.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown
Homepage: none
No install spec — this is an instruction-only skill.

There is no executable install path, but the skill has limited provenance information, so users cannot easily verify its origin or maintainer context.

User impactThe lack of source or homepage makes it harder to assess who authored the instructions or why this browser-scraping approach was chosen.

RecommendationPrefer skills from a known publisher or review the instruction text carefully before enabling it for enterprise HR data.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

Always use `profile="chrome"` — never `profile="openclaw"` (we need the user's authenticated session).

The skill intentionally uses the user's existing authenticated Chrome/SAP SuccessFactors session rather than a separate scoped credential or isolated browser profile.

User impactThe agent could access and return sensitive employee data available through the user's SuccessFactors account, including data for multiple employees if requested.

RecommendationInstall only if you intend to let the agent use your active SuccessFactors login; limit use to authorized employee IDs, avoid broad batches, and confirm what data should be returned.