Skillv1.0.0

ClawScan security

Huo15 Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 3:18 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package claims to be an enterprise Word (.docx) generation skill but contains many unrelated modules (web scrapers, multi‑agent tools, installers) and scripts that handle cookies, require interactive logins and download runtimes — the requested/installed footprint is broader than the stated purpose.
Guidance: This package is a multi-component repo packaged as a 'Word doc' skill. Before installing or running anything: 1) Treat it as multiple separate tools — if you only need the Word generator, extract and run only the create-word-doc.py (and inspect it) rather than installing the whole repo. 2) Do NOT run install scripts (playwright/scrapling/searxng installers) or login scripts (qichacha QR login) on your main machine — they download runtimes, open browsers, and persist cookies/configs; run them only in an isolated VM or container after code review. 3) Verify and remove any SKILL.md unicode control characters; they may be an attempt to influence agent parsing. 4) If you need web-scraping or MCP integrations, confirm the precise credentials/API keys required and where they will be stored; prefer skills that declare required env vars explicitly. 5) If you are not comfortable auditing code, prefer a minimal, single-purpose skill from a verified publisher or ask the author for a trimmed package that contains only the office-doc module and a clear, minimal install spec.
Findings: [unicode-control-chars] unexpected: The SKILL.md contained unicode control characters (prompt-injection signal). This can be used to try to manipulate evaluation or agent parsing; it's not expected for a straightforward doc-generation skill and should be removed or inspected before use.

Review Dimensions

Purpose & Capability: concernThe skill is presented as a Word document generator, and the office-doc SKILL.md is focused on .docx generation. However the bundle also contains multiple unrelated components (JS scrapers, qichacha scraper with QR login and cookie storage, searxng installer, multi-agent scripts, NotebookLM integration). The top-level metadata declares no env vars and only python-docx dependency, but many included scripts require Playwright, scrapling, interactive Google/NotebookLM login, and even recommend installing system packages — this mismatch suggests the repo is a multi-skill collection rather than a single-purpose doc generator.
Instruction Scope: concernThe office-doc SKILL.md instructions themselves are scoped to generating Word files and call a local create_word_doc script (coherent). But other SKILL.md files and scripts in the package instruct the agent/operator to perform network scraping, run Playwright headful/headless browsers, perform QR-code login flows and save cookies in the user's home directory, and to run install scripts. Those instructions go beyond document generation and involve collecting and storing credentials/cookies and interacting with external services.
Install Mechanism: noteRegistry metadata shows no install spec (instruction-only), but the repository includes many helper install scripts and instructions that will download runtimes: pip installs (playwright, scrapling), 'playwright install chromium' (fetches Chromium), and searxng install scripts. There's no single vetted release host for all components and some scripts will write files under the user's home directory. The lack of a curated install spec combined with ad-hoc install instructions increases risk if you run them.
Credentials: concernThe published skill declares no required environment variables or credentials, yet multiple included components expect/require secrets or interactive auth: NotebookLM requires interactive Google login and an nlm CLI; the qichacha scraper mentions saving cookies and suggests using qcc API keys for MCP access; other README/SKILLs reference adding API keys to OpenClaw configuration. That discrepancy (declaring no envs while including code that handles credentials) is a proportionality/incoherence issue.
Persistence & Privilege: notealways:false (no forced platform privilege). However several scripts write persistent data into the user's filesystem (e.g., cookies at ~/.cache/huo15-js-scraper/qichacha_cookies.json, generated config files under ~/.openclaw/workspace/skills or workspace/knowledge-base). The bundle includes multi-agent and installer scripts that can spawn processes. While not explicitly requesting elevated platform privileges, these behaviors create persistence and broader attack surface if executed.