NodeMaven – Premium Proxies for Account Management, Automation, and Scraping
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent for NodeMaven proxy setup, but it appears to include a hardcoded proxy password while also handling paid proxy credentials and purchase workflows.
Review this skill before installing. Confirm the reported proxy_password is not a real credential; if it is, rotate it immediately. Only provide NodeMaven credentials in a trusted session, verify the official API/dashboard domains yourself, and require explicit approval before purchases or account changes.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the redacted value is a real proxy password, someone with access to the skill artifact could use the proxy account or cause costs and abuse tied to that account.
The supplied static scan says the skill file appears to contain a hardcoded proxy password. Proxy credentials are explicitly treated by the skill as secrets, so including one in the artifact could allow unauthorized proxy use or billing impact.
suspicious.exposed_secret_literal ... Evidence: proxy_password: [REDACTED]
Do not install until the publisher confirms the value is only a dummy placeholder. If it was real, remove it from the skill, rotate the proxy credential, and publish only placeholders or environment-variable references.
Providing these credentials lets the agent validate the account, configure proxy access, and potentially affect usage or sub-user settings.
The skill openly requires handling provider API keys, proxy usernames/passwords, and sub-user passwords. This is aligned with the proxy-management purpose, but it grants access to a paid external account.
The agent handles three classes of secrets: ... NodeMaven API key ... Proxy credentials ... Sub-user passwords
Use a least-privilege API key if available, avoid pasting credentials into shared chats, rotate exposed keys/passwords, and confirm any account or sub-user changes before they happen.
The agent could guide actions that create accounts, buy proxy plans, or change service configuration.
The skill includes account creation and purchase workflows for a paid proxy service. This is part of its stated purpose, but spending money or changing provider account state is high-impact.
Guide the user through account creation, purchase, or API-key retrieval.
Require explicit user confirmation before any purchase, plan change, sub-user creation, password rotation, or other account mutation.
Misuse could lead to account bans, legal issues, or unintended traffic attributed to the user’s proxy account.
The skill is designed for proxy-backed automation and mentions anti-detect account workflows. That is disclosed and purpose-aligned, but it can be used in ways that violate platform rules or laws.
scraping, browser automation, and data collection ... stronger anti-detect setups
Use the skill only for authorized workflows and comply with target site terms, laws, and provider policies.
Users have less assurance that the instructions came from the official provider or a trustworthy maintainer.
The artifact has no declared source repository or homepage. There is no executable install payload, but provenance matters because the skill asks users to rely on provider endpoints and credentials.
Source: unknown; Homepage: none
Verify the NodeMaven domains and API documentation independently before entering credentials or making purchases.