web-reader-pro

Key points to consider before installing or running this skill: - Metadata mismatch: The registry claims no required environment variables but SKILL.md and the code expect JINA_API_KEY and other WEB_READER_* vars. Treat the SKILL.md as authoritative unless the publisher clarifies the registry record. - Sensitive credential: JINA_API_KEY is required for Tier 1. Only provide that key if you trust the skill and have reviewed the code paths that send data to Jina's API. - Installer risk (npm / npx): The included scripts install npm packages globally and create a wrapper that runs 'npx --yes scrapling'. npx downloads and executes packages from the npm registry at runtime which can run arbitrary code. If you don't trust the upstream npm package or the author, avoid running the installer or run it in a contained environment (VM/container) and review the installed package contents first. - Persistent local files: The skill writes cache, quota counters, and learned routing JSON under ~/.openclaw. Review and/or sandbox these files if you are concerned about persisted data. - Code review recommended: Although behavior is broadly consistent with a web extractor, review scripts/web_reader_pro.py for any hardcoded endpoints, logging of sensitive data, telemetry, or unexpected network calls before supplying secrets. - Safer options: If you want to test, run inside an isolated environment (container or throwaway VM), do not provide production API keys (use test keys), and inspect network traffic or code behavior before enabling on a production agent. If you want, I can: (1) scan the remainder of web_reader_pro.py for any network endpoints or hardcoded URLs, (2) point out exact paths/files the skill will create, or (3) produce a safe installation checklist to minimize risk.