Skillv1.6.0

ClawScan security

Novel Scraper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 4, 2026, 9:37 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required resources are consistent with a network HTML scraper for novels; it reads/writes local files and uses curl/BeautifulSoup but does not request unrelated credentials or hidden endpoints.
Guidance: This skill appears to do what it claims: fetch HTML with curl, parse with BeautifulSoup, cache to /tmp, and save TXT files under ~/.openclaw/workspace/novels. Before installing: (1) be aware it will make outbound HTTP(S) requests to whatever URLs you pass (and can fetch internal endpoints if you instruct it to) — run it in a network-restricted or sandboxed environment if you are concerned about SSRF or unintended crawling; (2) it writes state and cache files under your home directory and /tmp — back up or review those files if needed; (3) scraping copyrighted content may violate terms of service or law in your jurisdiction — ensure you have permission to scrape sites; (4) the code uses subprocess.run to call curl and writes files, so review or run it in an isolated environment if you want to be extra cautious. If you do not want the agent to call this skill autonomously, disable autonomous invocation in your agent settings.

Purpose & Capability: okName/description (novel scraping, pagination, merging) align with the included scripts and configs: scripts perform HTML fetches, parse chapter numbers, handle pagination, cache to /tmp and ~/.openclaw, and save TXT files. Hardcoded site config and catalog logic for bqquge.com match the stated purpose.
Instruction Scope: okSKILL.md directs running the provided Python scripts in the skill workspace and saving outputs to ~/.openclaw/workspace/novels. The runtime instructions and scripts only reference local files, site HTML, and curl calls to target URLs; they do not attempt to read unrelated system credentials, other skills' config, or exfiltrate data to third-party endpoints.
Install Mechanism: okNo install spec is present (instruction-only skill). The package includes Python scripts and a small requirements.txt (beautifulsoup4). There are no downloads from untrusted URLs or archive extraction steps in the manifest.
Credentials: okThe skill requires no environment variables or external credentials. It writes state/cache under ~/.openclaw and /tmp and creates log files; these file operations are proportional to a scraper. No SECRET/TOKEN/PASSWORD env vars are requested.
Persistence & Privilege: okalways is false and the skill does not modify other skills or global agent configuration. It persists its own state under its skill directory and /tmp, which is expected for resumable scraping.