ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AIR SDK — Collective Web Intelligence

Collective web intelligence for browser agents. Discover site capabilities, get CSS selectors, extract structured data, and report outcomes. When one agent l...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 38 · 0 current installs · 0 all-time installs
byFrans@fransdevelopment
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the declared requirements: it needs an AIR_API_KEY and npx to install/run an MCP server that shares site capabilities and selectors. Required binary and primaryEnv are appropriate for a networked SDK for browser agents.
!
Instruction Scope
The SKILL.md instructs the agent/operator to run `npx @arcede/air-sdk install-skill` and to write an MCP entry into ~/.openclaw/openclaw.json (including the AIR_API_KEY). The manifest declared no required config paths, yet instructions explicitly modify a system-wide OpenClaw config file. The skill also requires reporting exact CSS selectors (potentially sensitive or revealing), and it claims PII/cookies are never sent — a claim you must trust the provider for, because it is not verifiable from the skill alone.
Install Mechanism
This is an instruction-only skill with no packaged install spec, but it tells you to run an npx command which will fetch and execute code from npm at install/runtime. That is a moderate risk (external code downloaded and run on your machine). The npx/npm origin is standard but still requires reviewing the package source and provider before running.
Credentials
Only one environment variable (AIR_API_KEY) is required and is the declared primary credential, which is proportionate for a cloud service. The guidance to store the key in the OpenClaw config is normal but concentrates a secret in a file — consider how that file is protected.
!
Persistence & Privilege
Installing the MCP server entry writes to ~/.openclaw/openclaw.json and registers a local command (`air-sdk`) to be invoked by the agent. That gives the skill an ongoing presence and the ability to be autonomously invoked by agents. While this is normal for MCP-style skills, the manifest did not declare config path changes and the action affects the agent runtime configuration, so you should treat it as a privileged change.
What to consider before installing
Before installing: 1) Review the upstream code and npm package (@arcede/air-sdk) and the GitHub repo to confirm what the npx installer does. 2) Backup ~/.openclaw/openclaw.json before running the installer — it will modify your OpenClaw config. 3) Use a dedicated or limited-scope AIR_API_KEY (rotate/delete it if compromised) and check the service's privacy policy because the skill requires sending selectors/outcome data to the provider. 4) If possible, run the installer in a sandbox or test environment and observe network activity to see what is transmitted. 5) If you need strong guarantees about not sending PII/cookies, ask for documented data schemas or run local tests to confirm what the service transmits. If you are unable to review the package source or comfortable with these risks, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97a3m9bhx1vrhs5jj1nyp9nhn83955m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis
Binsnpx
EnvAIR_API_KEY
Primary envAIR_API_KEY

SKILL.md

AIR SDK — Collective Web Intelligence

You have 4 MCP tools from AIR SDK. They give you shared knowledge about websites — what actions are possible, which CSS selectors work, and what other agents have already figured out.

When to use these tools

  • User asks you to do something on a website (search, buy, extract data, compare prices)
  • User asks what's possible on a site
  • User asks you to extract or scrape data from a URL
  • You need to interact with a website and want to know the correct selectors before navigating

Workflow: browse, execute, act, report

Always follow this order:

Step 1: Browse capabilities

Before navigating to any site, check what's known about it:

Tool: browse_capabilities
Input: { "domain": "amazon.com" }

This returns capabilities (search, purchase, filter, etc.) with confidence scores and available macros.

Step 2: Execute a capability

Get the specific execution plan with CSS selectors:

Tool: execute_capability
Input: { "domain": "amazon.com", "capability": "search_products", "parameters": { "query": "wireless headphones" } }

This returns step-by-step instructions: which URL to visit, which selectors to click/fill, in what order.

Step 3: Act in the browser

Use the CSS selectors from Step 2 to perform the actions. The selectors have been verified by other agents.

Step 4: Report what happened

Always report the outcome. This is how the network learns:

Tool: report_outcome
Input: {
  "domain": "amazon.com",
  "capability": "search_products",
  "success": true,
  "steps": [
    { "action": "click", "selector": "input#twotabsearchtextbox", "success": true },
    { "action": "fill", "selector": "input#twotabsearchtextbox", "value": "wireless headphones", "success": true },
    { "action": "click", "selector": "input#nav-search-submit-button", "success": true }
  ]
}

You MUST include the actual CSS selectors you used. Reports without selectors are discarded.

Extracting data

To extract structured data from any URL without browser automation:

Tool: extract_url
Input: { "url": "https://github.com/ArcedeDev/air-sdk" }

Returns title, description, structured content, JSON-LD, and metadata.

Setup

The AIR SDK MCP server must be configured in your OpenClaw config. Run:

npx @arcede/air-sdk install-skill

This auto-detects OpenClaw and writes the MCP config. Or manually add to ~/.openclaw/openclaw.json:

{
  "mcpServers": {
    "air-sdk": {
      "command": "air-sdk",
      "args": ["--mcp"],
      "env": { "AIR_API_KEY": "your_key_here" }
    }
  }
}

Get a free API key (1,000 executions/month, no credit card): https://agentinternetruntime.com/extract/dashboard/sdk

Important notes

  • This is an early research preview. The capability index is growing but has gaps.
  • Some websites block automated browsing. If a site blocks you, report it anyway — the failure data is valuable.
  • Privacy: input values, cookies, and PII are never sent. Only anonymized selector and outcome data.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…