Back to skill
Skillv1.0.0
ClawScan security
dealmoon · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 7:49 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions match its stated purpose (making an AJAX-style request to Dealmoon to fetch business listings); it is an instruction-only curl-based scraper with no extra credentials or installs requested.
- Guidance
- This skill is an instruction-only scraper that issues curl POSTs to a Dealmoon AJAX endpoint and doesn't request credentials. Before installing: confirm you are allowed to scrape the target site (terms of service and legal considerations), be mindful of rate limits and polite usage to avoid blocking, and test in a controlled environment. If you need authenticated or higher-volume access, require an official API or credentials rather than scraping. The minor oddity: the example uses lang=cn despite the 'North America' description — verify the parameters you send are appropriate for your target region.
Review Dimensions
- Purpose & Capability
- okName/description (fetch North American business listings) lines up with the single runtime action: a curl call to Dealmoon's AJAX endpoint. Requiring curl is proportional and expected.
- Instruction Scope
- noteSKILL.md only shows a single curl example that mimics an XMLHttpRequest and posts form-encoded search parameters — this stays within the stated purpose. Minor inconsistency: the example uses lang=cn even though the description says 'North America' (likely a site-internal locale parameter), but otherwise the instructions do not ask for unrelated files, env vars, or credentials.
- Install Mechanism
- okNo install spec or external downloads — instruction-only skill that relies on an existing curl binary. Low-risk.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The skill does not ask for unrelated secrets or access.
- Persistence & Privilege
- okDoes not request always:true and does not modify system or other skills. Default autonomous invocation is allowed by platform but the skill itself has no elevated persistence or privileges.