v1.0.0

Story Long Scan

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 2:26 PM.

Analysis

The skill’s market-analysis purpose is coherent, but its included scraper can run local shell commands and reuse a logged-in browser without those powers being clearly declared.

GuidanceInstall only if you are comfortable with the scraper controlling a browser and writing local report files. Prefer using a fresh browser profile, do not run it with sensitive logged-in sessions, and review or patch the shell execution before using the Fanqie scraper.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

scripts/fanqie-rank-scraper.js

const cmd = args.map((a) => `"${a.replace(/"/g, '\\"')}"`).join(" ");
return execSync(`agent-browser --cdp ${PORT} ${cmd}`, {

The scraper builds a shell command string to invoke agent-browser. This exposes a powerful browser-control tool through ad-hoc quoting rather than safe argument passing.

User impactA malformed or attacker-influenced argument could cause unsafe local tool use while the skill is scraping rankings.

RecommendationReplace shell-string execution with execFile/spawn argument arrays, validate the CDP port and URLs, and require explicit user approval before browser-control or file-writing actions.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

scripts/fanqie-rank-scraper.js

前置：
  bash ~/.claude/skills/browser-cdp/scripts/setup_cdp_chrome.sh 9222

The scraper relies on an external browser-cdp setup script and agent-browser tooling that are not included in the skill package or declared as required dependencies.

User impactThe skill may fail or run unexpected local helper code depending on what browser-cdp or agent-browser implementation exists on the user's machine.

RecommendationDeclare all required tools and versions, document provenance for external helpers, and avoid relying on undeclared local skill paths.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

scripts/fanqie-rank-scraper.js

const { execSync } = require("child_process");
...
return execSync(`agent-browser --cdp ${PORT} ${cmd}`, {

The included script directly executes shell commands. The PORT value comes from command-line arguments and is interpolated into the shell command.

User impactUnsafe command construction can lead to unintended local command execution if arguments are manipulated.

RecommendationAvoid shell execution for tool calls, validate PORT as a numeric value, and use safe process APIs that do not invoke a shell.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

references/scan-output-format.md

部分数据需登录态，browser-cdp 可复用已有登录

The reference explicitly allows reusing an existing logged-in browser session, while the registry declares no primary credential or required credential contract.

User impactIf the browser is logged in, the skill may access account-scoped pages or session state that the user did not expect to grant to this skill.

RecommendationDeclare browser-session reuse as a sensitive permission, ask for explicit approval before using logged-in sessions, and prefer a fresh browser profile for public ranking data.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

SKILL.md

按规范格式写入 Markdown 文件
...
用户提供已有的扫描结果文件路径 → 直接加载进入 Phase 2 分析

The workflow stores scraped or user-provided content in Markdown and later loads it for analysis, so untrusted web text could become part of the agent's context.

User impactA malicious book description or supplied report could try to influence the analysis if treated as instructions rather than data.

RecommendationTreat scraped and user-provided report text strictly as untrusted data, and ignore any instruction-like content inside collected rankings or descriptions.