Skillv1.0.0

ClawScan security

AutoGLM Toolkit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 5:10 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The SKILL.md claims an API-backed toolkit with browser automation and requires authentication (token/appid/secret) and session persistence, but the registry metadata lists no required credentials or install steps and there is no code—these mismatches warrant caution.
Guidance: This skill is internally inconsistent: the runtime docs require an API token, app id, and secret and describe session persistence and browser automation, but the registry declares no credentials or install steps and there's no source/homepage to verify. Before installing or using it, ask the publisher for: (1) an authoritative homepage or code repo and proof that autoglm-api.zhipuai.cn is owned by the vendor; (2) an updated registry manifest that lists required env vars (AUTOGLM_TOKEN, APPID, SECRET) and explicit instructions for how/where sessions are stored; (3) clear data-handling and privacy rules for screenshots, scraped content, and third‑party account credentials. Do not provide real account passwords to the skill; if you test it, use throwaway/non-sensitive accounts and minimal privileges. If the publisher cannot clarify these gaps, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: concernThe skill describes heavy-weight capabilities (autonomous browser automation that can log in, like/comment/repost, take screenshots, and persist sessions) but is an instruction-only skill with no code or install spec. The registry metadata declares no required env vars or credentials, yet the SKILL.md documents an AUTOGLM_TOKEN plus appid/secret-based signing for API calls. It's unclear how browser automation or session persistence would be implemented locally versus delegated to a remote service; the credentials and storage claims are not represented in the declared requirements.
Instruction Scope: concernSKILL.md instructs the agent to perform web actions on third‑party sites (social media, shopping, docs), to login and fill forms, to take screenshots, and to persist sessions. It also specifies API endpoints for web-search, open-link, image generation, etc. The instructions reference authentication secrets (token, appid, secret) and session pools, but do not limit or explain how sensitive user credentials or scraped content are handled. There are contradictory statements: 'Login/captcha always requires manual user interaction' vs. 'Login to websites, fill forms.'
Install Mechanism: noteNo install spec or code files are present (instruction-only). That lowers filesystem/injection risk, but also increases ambiguity about runtime: the skill appears to assume an external AutoGLM service will perform actions. The lack of an authoritative homepage, source, or documented installation path makes it harder to validate the remote endpoints.
Credentials: concernRegistry metadata lists no required env vars, but the SKILL.md defines AUTOGLM_TOKEN and shows code requiring appid and secret to compute X-Auth-Sign. This is an inconsistency: the skill will need sensitive credentials (token, app id, secret) to call the API, but they are not declared. Additionally, the skill's functionality implies it may request or handle user account credentials for third-party sites, yet there is no guidance or safeguards described.
Persistence & Privilege: notealways:false and autonomous invocation allowed (defaults) — normal. However, the SKILL.md claims a session pool with 12-hour TTL and session persistence/resume behavior; the skill does not declare where sessions are stored or who controls them. Persistent session handling combined with browser automation capabilities increases the impact if credentials or screenshots are mishandled.