Back to skill
Skillv1.0.0
ClawScan security
Web Scraper Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 2, 2026, 4:14 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's description promises live web scraping from external finance APIs, but the provided code contains only local mock data and the SKILL.md references dependencies and data sources that the code doesn't use — this inconsistency is suspicious and worth clarification before installing.
- Guidance
- This skill is inconsistent: it advertises real-time scraping from external finance APIs and lists requests/BeautifulSoup, but the included Python script only returns simulated data and has no network calls. Before installing or using it, ask the maintainer for the real implementation or source code repository, confirm whether network access and the listed Python dependencies will be required, and whether the tool adheres to data-source terms of service. If you expect real scraping, run the skill in an isolated/sandboxed environment and inspect any future versions for actual network requests (requests/urllib) and external endpoints. Avoid providing credentials unless you can verify the skill's origin and necessity.
Review Dimensions
- Purpose & Capability
- noteName/description claim real-time scraping from Sina/East Money and list dependencies (requests, BeautifulSoup4), but the shipped webscraper.py contains only simulated/local data and no network or requests/bs4 imports. The single required binary (python3) is appropriate, but the declared external data sources and dependencies are not reflected in the code.
- Instruction Scope
- okSKILL.md provides focused runtime instructions (command dispatch to the webscraper tool) and does not instruct the agent to read unrelated files, environment variables, or exfiltrate data. It does mention URL scraping but explicitly notes that a browser tool is required.
- Install Mechanism
- okNo install spec (instruction-only) and a single Python script included. No external archives or installers are fetched, minimizing install-time risk.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The code does not access secrets or external configurations.
- Persistence & Privilege
- okalways is false and the skill is user-invocable with normal autonomous invocation allowed. The skill does not request persistent elevated privileges or modify other skills' config.