Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Console Patrol
v0.1.0Automatically scans web apps for console errors and warnings, providing framework-specific diagnostics and fix suggestions for React, Ant Design, and Element...
⭐ 0· 39·0 current·0 all-time
byThatsD@zhzgao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and runtime examples align: a console-scanning tool reasonably needs a Python package and a headless browser (Playwright/Chromium) to execute scans and capture console output.
Instruction Scope
SKILL.md tells the agent to run pip install console-patrol and playwright install chromium (including example subprocess.run code). Those runtime install instructions will download and execute third-party code and binaries and will allow the skill to fetch arbitrary URLs supplied for scanning. The instructions do not constrain where packages/binaries are installed (system vs virtualenv) or limit target URLs, which broadens the skill's runtime effects.
Install Mechanism
There is no formal install spec; instead the README instructs the agent to pip install a package named 'console-patrol' and run Playwright's installer. Installing from PyPI and downloading Chromium are reasonable for the functionality but risky without provenance: pip packages can execute arbitrary code during install, and Playwright will download large browser binaries. No package version pinning, checksums, or official upstream links/homepage are provided.
Credentials
The skill does not request environment variables, credentials, or config paths — proportional to the stated purpose. However, runtime installation will modify the agent environment (install packages/binaries), which is a side effect not declared in metadata.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The SKILL.md explicitly instructs installing packages and browser binaries, which creates persistent files on disk and may change the agent environment; this is expected for such a tool but increases the blast radius compared to an instruction-only skill that makes no on-disk changes.
What to consider before installing
This skill's purpose and code examples are coherent, but it asks the agent to install a PyPI package ('console-patrol') and Playwright/Chromium at runtime without providing a source URL, package version, checksums, or homepage. Before installing, verify the package provenance (PyPI project page, GitHub repo, maintainer), prefer a pinned version and checksum, and run installs in an isolated environment (virtualenv or sandbox) to avoid altering system-wide Python or downloading untrusted binaries. If you cannot verify the package/source, avoid running the automatic pip/playwright install and ask the skill's author for a signed release or official upstream link. Also be cautious about scanning arbitrary remote URLs (possible sensitive-target scanning or SSRF) and consider limiting scanning to trusted hosts or local development instances.Like a lobster shell, security has layers — review code before you run it.
latestvk97b88m1d7mn6j3d44mrt7ea6983y638
License
MIT-0
Free to use, modify, and redistribute. No attribution required.