wechat-article-extraction-mp-weixin-qq-com news-webpage-cleaning blog-post-parsing metadata-extraction-title-author-date multiple-output-formats-markdown-json-plain-text batch-processing-support

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only web article extraction skill with disclosed network fetching options and no hidden executable behavior.

Install only if you need webpage extraction from public or authorized pages. Be careful with batch volume, avoid caching sensitive content, use only trusted proxies, and verify provenance because the artifact claims OpenClaw Team authorship but the provided metadata does not independently establish trusted publisher status.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly documents support for custom User-Agent strings and proxy configuration for web fetching, but it does not clearly warn users that using these options can expose request metadata to third parties, route traffic through untrusted infrastructure, or create legal/privacy issues when accessing external sites. In a web-extraction skill, these network-affecting options materially change the security posture and can enable unsafe or deceptive scraping behavior if users are not properly cautioned.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal