Safe-Web
v1.0.8Securely fetch and search web content by scanning and blocking prompt injection threats using PromptGuard before returning results.
⭐ 1· 1.4k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and behavior align: the tool fetches HTML, extracts text, and scans with PromptGuard. Declared requirements (python3, prompt-guard, requests, beautifulsoup4, optional BRAVE_API_KEY) match the implemented functionality. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md and README contain only fetch/search/scanning instructions and install guidance. They do recommend creating a system symlink (/usr/local/bin) and suggest disabling native web_fetch/web_search in OpenClaw config to force use of safe-web — these are user-facing operational changes (not automatically performed) and are reasonable for a drop-in replacement but worth reviewing before applying. The pre-scan flag ('ignore-previous-instructions') appears in the docs as an example of an attack pattern, not as an instruction to the agent.
Install Mechanism
Install uses pip to install standard packages and an editable install of a local PromptGuard workspace. This is a common approach for Python-based tools, but pip installs (and the SKILL.md's use of --break-system-packages) can modify system Python state — consider using a virtualenv or container to avoid impacting the host environment. No arbitrary remote download or obfuscated installer was observed.
Credentials
Only one optional environment variable (BRAVE_API_KEY) is referenced and justified for search functionality. The code does not request other secrets or config paths. skill.json declares python3 and dependency on prompt-guard, which are appropriate.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or agent configuration automatically. It recommends (but does not force) disabling native tools and creating a symlink; those are user actions and not implicit privileges.
Scan Findings in Context
[ignore-previous-instructions] expected: The SKILL.md/README describe prompt-injection patterns (including 'ignore previous instructions') as examples of threats to detect. This is a documentation occurrence, not an instruction to the agent or evidence of malicious intent.
Assessment
This skill appears coherent and implements what it claims: fetching HTML, extracting text, and scanning with PromptGuard. Before installing: 1) Review and trust the PromptGuard dependency (it's the core scanner); 2) Prefer a virtualenv/container rather than system-wide pip installs or --break-system-packages to avoid altering host Python; 3) Be cautious before creating a system symlink or disabling native web tools — those change system behavior and may affect other workflows; 4) Only provide BRAVE_API_KEY if you need search functionality and trust the environment; 5) If you want extra assurance, inspect the prompt-guard code and run safe-web in an isolated environment to confirm no unexpected network exfiltration. The pre-scan injection flag in the docs is explanatory, not an active instruction.Like a lobster shell, security has layers — review code before you run it.
latestvk978w3x6y1pjq93pj6gqa4ch6d80za0r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.