Skillv1.0.0

ClawScan security

Crawlee · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 9:29 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only guide for using the Crawlee scraping libraries and its requirements and instructions are consistent with that purpose.
Guidance: This skill is a documentation/guide for using the Crawlee libraries and appears internally consistent. Before using: (1) be aware the examples install packages (npm/pip) and Playwright which download browser binaries and require network access; only run those commands on systems you control. (2) If you plan to supply proxy URLs they may include credentials—treat them as sensitive. (3) Web scraping can raise legal and ethical issues; check robots.txt and the target site's Terms of Service and applicable law. (4) The skill is instruction-only (it won’t run code by itself), but the agent may recommend commands to execute; review any suggested shell commands before running. (5) If you’re concerned about the skill being suggested too often, note it is configured to trigger for many loosely related phrases—consider limiting invocation scope or confirm before acting.

Purpose & Capability: okThe name/description match the provided content (detailed JS/Python guidance for Crawlee). There are no unexpected required binaries, env vars, or config paths.
Instruction Scope: okSKILL.md contains step-by-step installation and usage examples for Crawlee (npm/pip/playwright installs, example crawlers, API refs). It does not instruct the agent to read unrelated system files, exfiltrate secrets, or contact hidden endpoints. Note: the doc explicitly tells the agent to trigger for many loosely related user phrases, which affects when the skill will be suggested but does not change its technical scope.
Install Mechanism: okThis is an instruction-only skill (no install spec). It recommends standard package installs (npm, pip, playwright install) which is expected for this content. Nothing in the skill pulls arbitrary archives or personal servers.
Credentials: okThe skill declares no required environment variables or credentials. It documents optional proxy configuration (which naturally may carry credentials when used) but does not request unrelated secrets.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide privileges. Autonomous invocation is allowed (platform default) but is not combined with other concerning privileges.