Skillv1.1.0

ClawScan security

Clean Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 5:14 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely implements the claimed restaurant cross-checking functionality, but there are several internal inconsistencies and operational risks (missing/incorrect dependency declarations, hidden persistence of browser sessions/cookies, and an instruction set that encourages heavy web scraping and proxy use) that warrant caution before installation.
Guidance: Key things to consider before installing or running this skill: - Dependency and install gap: The code uses Playwright (and Playwright will download browser binaries), but SKILL.md's pip list omits playwright and instead mentions selenium. Check scripts/requirements.txt and add/install playwright before running; expect browser downloads and larger disk/network usage. - Session/cookie persistence: The skill uses a session_manager and persistent Playwright contexts that store login cookies on disk. Inspect scripts/session_manager.py to see where session data are stored and ensure file permissions/restrictions are appropriate. Treat those session dirs as sensitive (they contain authentication state). - Secrets and proxies: Although the registry metadata lists no required env vars, the skill expects cookies and may require proxy credentials if you enable proxies. Do not paste third-party proxy credentials or cookies into code/config files on multi-user systems; prefer environment variables or a secure secret store and review where the skill will persist them. - Legal & ToS risk: The skill explicitly recommends scraping platforms that (per its own docs) prohibit scraping. Use only for personal research and be aware that sustained scraping may violate site terms and local laws. For production/commercial use, obtain official APIs. - Test in a sandbox: Run the provided mock/server-friendly variant (crosscheck_simple or the example tests) first to verify behavior without performing real scraping. Review logs and network calls during a real run in an isolated environment. - Review code paths: Before giving the skill network access or credentials, read session_manager.py and any remaining omitted files to check how credentials, proxies, and session directories are handled. Ensure no unexpected external endpoints are contacted and that data is not exfiltrated to third-party servers beyond the target platforms. If you need help auditing specific files (e.g., session_manager.py or requirements.txt), provide them and I can inspect for storage locations, network endpoints, and credential handling.

Review Dimensions

Purpose & Capability: concernThe code and SKILL.md align with the stated purpose (cross-referencing Dianping and Xiaohongshu), and the repo contains matching fetch/match/scoring logic. However, metadata claims 'instruction-only' with no install spec while the package includes many Python scripts that require runtime dependencies (Playwright, requests, bs4, thefuzz, etc.). SKILL.md lists selenium in dependencies but the real scrapers use Playwright; Playwright is used in code but not declared in the SKILL.md dependency list. That mismatch between claimed install/packaging and actual runtime needs is an incoherence.
Instruction Scope: concernInstructions explicitly direct web scraping (including use of residential proxies, cookie-based authentication, and rotating user-agents) and persistence of browser login sessions. This is within the stated purpose but expands the agent's runtime behavior into authenticated scraping and persistent local session storage. The SKILL.md and code ask the agent/user to maintain cookies and proxies (sensitive operational inputs) but do not declare how these should be supplied/secured. The instructions also recommend throttling and proxy rotation—practical but potentially enabling large-scale scraping that may violate third-party ToS or law.
Install Mechanism: concernThere is no install spec in registry metadata (instruction-only), yet the skill contains non-trivial Python code that depends on third-party libraries and Playwright (which downloads browser binaries). SKILL.md lists a pip install line that includes selenium but omits playwright; code calls playwright.async_api. This mismatch means running the skill will likely fail or trigger implicit downloads (Playwright browser installs) with no guidance. Absence of a vetted install mechanism increases risk and friction.
Credentials: concernThe skill requests no environment variables in metadata, but its runtime behavior expects and documents needing cookies (for Xiaohongshu), proxy endpoints/credentials (residential proxy providers), and persistent session directories. Those are effectively sensitive credentials/configs but are not declared as required environment or secret inputs. The skill recommends third-party proxy providers (Bright Data, Smartproxy) which may require credentials; storing those in config files (scripts/config.py) or inserting them without clear secret handling is disproportionate and risky.
Persistence & Privilege: noteThe skill creates and uses persistent browser sessions (Playwright launch_persistent_context with user_data_dir via session_manager). That means it will write cookies/session state to disk under session directories managed by the skill. 'always' is false and the skill does not request system-wide privileges, but persistent session storage and local cookie files are significant persistence vectors and should be reviewed before use.