Skillv1.0.0

ClawScan security

web-scraper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 3:42 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description matches a web-scraping tool, but the runtime instructions require installing and running third‑party npm packages and a Chrome extension (which can access all page content) while the registry metadata claims no binaries/config — these inconsistencies and the implicit remote data flow are concerning.
Guidance: Before installing or running this skill, consider the following: - Inconsistency: the registry metadata lists no required binaries, but the SKILL.md requires `datalens-mcp-call`, Node ≥18, and installing `datalens-mcp-server` via npm (or using npx). Ask the publisher why metadata omits these requirements and request a homepage/source repository. - npm/npx risk: the instructions rely on npm/npx to fetch and run third-party code. Verify the exact package name and a specific version on the npm registry, inspect the package contents (or the Git repository), and prefer pinned versions over npx or global installs. - Chrome extension risk: the extension will have access to page content and tabs. Confirm the extension's publisher, review its permissions, and audit its code (or install only from the official Chrome Web Store after validation). Avoid using on pages with sensitive credentials, personal data, bank/account pages, or internal corporate systems until you validate privacy practices. - Data exfiltration: the skill mentions a backend AI call during analysis — clarify what data is sent to external servers, read the service privacy policy, and avoid scraping sensitive pages if the backend processes page content remotely. - Operational safety: if you must test it, run it against non-sensitive public pages first, in an isolated environment, and prefer a local, audited build of the datalens tools rather than npx. If the publisher/source cannot be verified, treat this skill as untrusted. Request a homepage, source repo, package links, and privacy/security documentation; that information could change the assessment to benign if it confirms provenance and appropriate safeguards.

Review Dimensions

Purpose & Capability: concernThe SKILL.md clearly implements a web scraper using a local MCP proxy and a Chrome extension (consistent with the skill name). However the registry metadata declares no required binaries or install steps, while the instructions require datalens-mcp-call (or npx), datalens-mcp-server (npm) and Node ≥18 plus a Chrome extension. That metadata/instruction mismatch is incoherent and worth questioning.
Instruction Scope: concernInstructions tell the agent to spawn a local MCP proxy that talks to a Chrome extension to click buttons, open/close tabs, and extract page content. They also mention a backend AI call during column analysis — implying scraped page content or selectors will be sent to an external DataLens backend. The SKILL.md does not describe where data is sent, privacy boundaries, or what the backend does with page content.
Install Mechanism: concernThere is no formal install spec in the skill bundle, but the instructions ask users/agents to run `npm install -g datalens-mcp-server` or use `npx datalens-mcp-call`. Using npx/global npm installs will fetch and run code from the npm registry on demand — a moderate-to-high risk operation if the package source/version and publisher are not verified. The Chrome extension installation is also required and can grant wide permissions to browsing data; neither the extension source nor the npm package provenance is provided.
Credentials: noteThe skill declares no required environment variables or credentials (which is consistent). However it implicitly requires the user to be logged into target sites in Chrome and to install an extension that can read all page content and tabs. While expected for a scraper, that level of browser access is high-privilege relative to the simple registry metadata.
Persistence & Privilege: noteThe skill is not marked always:true and does not request persistent system-wide changes in the bundle. However it enables the agent to run local commands and (if allowed to invoke autonomously) could execute npx or spawn servers that interact with the browser — combine this with the install-and-extension flow and the autonomous invocation capability increases blast radius. Autonomous invocation alone is not flagged, but it amplifies the other concerns.