Back to skill
Skillv1.0.2
ClawScan security
XCrawl Scrape · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 3:15 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared requirements and runtime instructions match its stated purpose (calling XCrawl's scraping API using a locally stored API key); nothing appears disproportionate or unrelated.
- Guidance
- This skill is internally consistent with a client for the XCrawl scraping API. Before installing: (1) Confirm you trust xcrawl.com and your API key issuer; (2) Consider storing your API key in a secure secret manager rather than an unencrypted ~/.xcrawl/config.json file; (3) Be cautious with webhook URLs you supply — they will receive scraped content; (4) Review any use of skip_tls_verification or proxies in request options (these lower network security); (5) Remember this skill runs curl/node commands at runtime (so the agent will need those tools available). If any of the above is unacceptable, don't install or ask the publisher for alternative auth/storage methods.
Review Dimensions
- Purpose & Capability
- okThe name/description (XCrawl scraping: single-URL fetch, sync/async, JSON extraction) aligns with the actual instructions which call https://run.xcrawl.com/v1/scrape. The declared tool dependencies (curl or node) and the local config file (~/.xcrawl/config.json) are coherent for an API-key based client.
- Instruction Scope
- okSKILL.md instructs only to read the local config file for XCRAWL_API_KEY, then make HTTP requests to the XCrawl API using curl or node. It does not instruct reading other user files, scanning the system, or transmitting unrelated data. The webhook feature exists as part of the API (user-specified callback URL) — expected for async scrape workflows but a user-controlled sink.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written by an installer. That minimizes install-time risk.
- Credentials
- okNo global environment variables or external credentials are requested. The skill requires a single locally stored API key (~/.xcrawl/config.json), which is proportionate to calling a paid scraping API. Note: storing an API key as plaintext in a home directory is sensitive but is a user configuration choice rather than a requirement of the skill.
- Persistence & Privilege
- okThe skill does not request always:true and is user-invocable only. It does request runtime execution permissions for curl/node (consistent with examples). There is no instruction to modify other skills or system-wide agent settings.