Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Data Harvester Pro
v1.0.0Batch web scraping for competitor analysis, price monitoring and market research
⭐ 0· 346·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description promise batch web scraping, real-time stock data, competitor scraping across platforms and export capabilities, but the Python code contains only hard-coded mock data and local file reads; there are no network requests, no scraping logic, and no browser automation or scraping dependencies implemented. The declared required binary (python3) is proportional, but the functionality advertised is not implemented in the code.
Instruction Scope
SKILL.md instructs use of browser automation, CSS selectors, configurable rate limiting and exporting (openpyxl installation), but the runtime instructions and script do not perform those actions — they merely read a file and print sample/mock outputs. This mismatch could lead an agent or user to try to install/execute additional tools or to expect network access that the packaged code does not contain. SKILL.md also contains unicode-control-chars (prompt-injection) signal.
Install Mechanism
No install spec is provided and only python3 is required; nothing is downloaded or extracted. This lowers installation risk. However, the README suggests external installs (openpyxl, browser automation) that are not supplied by the package.
Credentials
The skill requests no environment variables, no credentials, and no config paths. Given the claimed functionality it might normally need API keys for target services, but none are requested — this is inconsistent with advertised live scraping but not an immediate credential risk.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. It contains no code that modifies other skill configs or system-wide settings.
Scan Findings in Context
[unicode-control-chars] unexpected: Control/unicode manipulation characters were detected in SKILL.md. This is not expected for a normal scraper README and could be an attempt at prompt injection or to influence parsing; review the SKILL.md raw content for invisible characters before trusting automatic processing.
What to consider before installing
This skill appears to be an incomplete or placeholder scraper: it advertises live web scraping, cross-platform competitor comparisons and exports, but the shipped Python implements only mocked data and local file reading. Before installing or using it: 1) don't provide any credentials—none are requested but the advertised features would normally need API keys or browser automation; 2) inspect the SKILL.md raw text for hidden/control characters (the scanner flagged unicode-control-chars); 3) review and run the Python file in a sandbox to verify behavior (it currently makes no network calls); 4) expect to need to manually install browser automation tools (Selenium/Playwright) and libraries like openpyxl if you want the advertised features—ask the author for a clear implementation or sources for scraping logic; 5) if you plan to run real scraping, do so in an isolated environment and confirm legal/robots.txt compliance. Given the mismatches, treat this skill as untrusted until the author provides a coherent implementation and removes suspicious hidden characters.Like a lobster shell, security has layers — review code before you run it.
batchvk97be39j824jna0r071vp4e6gd825q2acompetitorvk97be39j824jna0r071vp4e6gd825q2acrawlervk97be39j824jna0r071vp4e6gd825q2adatavk97be39j824jna0r071vp4e6gd825q2alatestvk97be39j824jna0r071vp4e6gd825q2a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧑🌾 Clawdis
Binspython3