Back to skill
Skillv1.4.0
ClawScan security
Terabox Link Extractor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 14, 2026, 11:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required API key are consistent with its stated purpose (calling XAPIverse to extract TeraBox links), but it will transmit the user-supplied URL and your TERABOX_API_KEY to the third-party service — review trust and privacy before enabling.
- Guidance
- This skill appears to do what it says: it sends a TeraBox link and your TERABOX_API_KEY to XAPIverse (https://xapiverse.com) to obtain direct download/stream URLs. Before installing: (1) Verify you trust the XAPIverse service and its privacy/terms, because your API key and the full target URL will be transmitted there. (2) Use a dedicated, limited-scope API key (do not reuse high-privilege secrets). (3) Confirm that extracting and downloading the target content is legal and allowed by the content owner. (4) Note the skill enforces Downloads/ as the output root (path traversal is blocked). (5) The SKILL.md requires the agent to ask for explicit user permission before transmitting URLs — ensure your agent actually follows that consent flow if you need the extra privacy protection. Minor metadata inconsistencies (README examples vs. standardized TERABOX_API_KEY and a homepage field mismatch) look like documentation drift but do not affect execution.
Review Dimensions
- Purpose & Capability
- okName/description, node requirement, and TERABOX_API_KEY map directly to the code's behavior: scripts/extract.js posts the provided TeraBox URL to https://xapiverse.com/api/terabox-pro and returns download/stream links. There are no unrelated environment variables or binaries requested.
- Instruction Scope
- noteSKILL.md explicitly requires informed user consent before sending a URL and documents that the full target URL and API key are transmitted to xapiverse.com. The handler delegates consent handling to the LLM as described. This is within scope for an extraction skill, but it does mean user-provided URLs and the API key will leave the host environment.
- Install Mechanism
- okNo install script or remote downloads are present; the skill requires only a local Node runtime and contains plain JS files. There is no suspicious installer or external archive retrieval.
- Credentials
- okOnly one required credential (TERABOX_API_KEY) is declared and actually used. The code supports multiple comma-separated keys, which is reasonable for failover. The key is sent to the documented external API (xapiverse.com) — this is necessary for the service but is a privacy/secret-exposure consideration, not an incoherence.
- Persistence & Privilege
- okThe skill does not request permanent/always-on inclusion and does not attempt to modify other skills or system-wide agent settings. Downloads are sandboxed to a local Downloads/ directory per the code's checks.