Skill Review

The skill says it scrapes ClawHub pages and gathers Security Scan (VirusTotal/OpenClaw) info and runtime requirements for local skills. It requires python3 and VIRUSTOTAL_API_KEY and uses Playwright to render client-side content — all of which are coherent with that goal.

Runtime instructions and included script enumerate local skill folders (SKILL.md), derive slugs, visit https://clawhub.ai/<owner>/<slug>, expand page details, and extract Security Scan / Runtime / Comments. The script only reads SKILL.md, optional slug-map, and a local suppressions.json (next to the script or in parent) and may read ~/.openclaw/.env as a fallback for the VT key. It does not attempt to read unrelated system files or credentials.

No install spec is provided (instruction-only with bundled script). The script depends on Playwright (Python) and therefore the user will likely install the playwright package and download Chromium via 'playwright install chromium' — this downloads a browser binary from upstream, which is expected but worth noting as an external binary download.

Only VIRUSTOTAL_API_KEY is required (declared). The script legitimately uses the VT key to query VirusTotal and implements client-side rate limiting. The only other env-read behavior is a fallback to ~/.openclaw/.env to find the same key; no unrelated secrets or credentials are requested.

The skill is user-invocable and not set to always: true. It writes an output markdown to the specified --out path (example /tmp/) and may create Playwright browser artifacts if you install Playwright, but it does not persistently modify other skills or system-wide agent settings.