Back to skill
Skillv0.1.1
ClawScan security
Cloudflare Crawl · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 2:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variables align with its stated purpose of driving Cloudflare's Browser Rendering crawl API and do not request unrelated secrets or perform unexpected actions.
- Guidance
- This skill appears to do what it claims: it calls Cloudflare's Browser Rendering crawl API and returns results. Before installing, consider: (1) Only provide an API token with the minimum required permission (Account.Browser Rendering) and avoid using a broadly-scoped account token; rotate the token if it becomes exposed. (2) Running large crawls may incur cost and use significant browser-minutes—test with small limits first. (3) Respect site terms of service and robots.txt when crawling third-party sites. (4) As with any code from an unknown source, review the included script yourself and run it in a controlled environment; do not expose the token to untrusted systems.
Review Dimensions
- Purpose & Capability
- okName/description (Cloudflare Browser Rendering crawl) match the required environment variables (CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID) and the included CLI script which calls Cloudflare's browser-rendering endpoints. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md instructs the agent to start, poll, and fetch results from Cloudflare's API and to set the two Cloudflare env vars. The example code writes crawl results to local files (fs.writeFileSync), which is expected for saving scraped pages. The instructions do not ask the agent to read unrelated system files, other credentials, or to transmit data to third-party endpoints outside Cloudflare's API.
- Install Mechanism
- okNo install spec is provided (instruction-only plus a small CLI script). No external downloads, package installs, or archive extraction are performed by the skill. The script uses built-in Node APIs (fetch/FS) and can run without additional installs on a modern Node runtime.
- Credentials
- okOnly CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID are required, which is proportionate for calling Cloudflare's account-scoped Browser Rendering API. The SKILL.md also correctly instructs creating a token with Account.Browser Rendering permission.
- Persistence & Privilege
- okThe skill is not marked always:true and uses normal, user-invocable invocation. It does not request persistent system-wide privileges or attempt to modify other skills' configuration.