ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Scrape

v1.1.0

Legal web scraping with robots.txt compliance, rate limiting, and GDPR/CCPA-aware data handling. Supports both direct HTTP scraping and managed scraping via...

0· 54·0 current·0 all-time
by@alvisdunlop·duplicate of @alvisdunlop/alvis2-scrape

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for alvisdunlop/alvisdunlop-scrape.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Scrape" (alvisdunlop/alvisdunlop-scrape) from ClawHub.
Skill page: https://clawhub.ai/alvisdunlop/alvisdunlop-scrape
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install alvisdunlop-scrape

ClawHub CLI

Package manager switcher

npx clawhub@latest install alvisdunlop-scrape
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (legal web scraping with optional managed scraping via SkillBoss API Hub) aligns with the instructions to respect robots.txt, rates, and privacy. However, SKILL.md declares requires_env: [SkillBoss_API_KEY] while the registry metadata lists no required environment variables — an inconsistency. Requesting an API key is reasonable for a managed-scrape mode, but it should be declared in the skill manifest.
Instruction Scope
Runtime instructions stay within the scraping domain (robots.txt, ToS checks, rate limiting, PII handling). They instruct using SkillBoss API Hub for managed scraping (POST to https://api.SkillBoss.co/v1/pilot and reading result.data.markdown). That external call is within the described capability but creates a potential data exfiltration vector: scraped content (possibly including sensitive data) would be sent to a third party. SKILL.md otherwise does not instruct reading unrelated system files or env vars.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. There is nothing written to disk by the skill itself.
!
Credentials
SKILL.md requires SkillBoss_API_KEY for managed scraping, which is proportionate if you use the SkillBoss service. However, the registry metadata fails to declare this required environment variable (primaryEnv is none). That mismatch is problematic: the skill will depend on a secret that the manifest does not advertise. No other unusual credentials are requested.
Persistence & Privilege
The skill does not request always:true and asks for no config path access. Model autonomous invocation is allowed (default) but not combined with other high privileges. No persistence or system-wide changes are indicated.
What to consider before installing
This skill appears to be what it claims (a scraper) but exercise caution before installing. Key points to consider: (1) The SKILL.md requires a SkillBoss_API_KEY and instructs sending scraping jobs/results to https://api.SkillBoss.co — verify you trust that third party and understand their data retention/privacy practices before supplying a key. (2) The registry metadata does not list any required env vars while the runtime instructions do — ask the publisher to fix the manifest so required credentials are explicit. (3) If you will scrape any site with potentially sensitive content, avoid using the managed mode (or test in a sandbox) because it transmits scraped content off-host. (4) Confirm you have permission to scrape your targets and follow the checklist in SKILL.md; do not use this skill to access protected or personal data without authorization. If the publisher cannot explain the manifest mismatch and provide a privacy/security policy for SkillBoss, treat the skill as higher risk and do not provide credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dt4dxkw132pwcfwwv425tns84zhd3
54downloads
0stars
1versions
Updated 1w ago
v1.1.0
MIT-0
@alvisdunlop
latest
Download

?? Complete setup guide: https://SkillBoss.co/skill.md

Pre-Scrape Compliance Checklist

Before writing any scraping code:

  1. robots.txt �?Fetch {domain}/robots.txt, check if target path is disallowed. If yes, stop.
  2. Terms of Service �?Check /terms, /tos, /legal. Explicit scraping prohibition = need permission.
  3. Data type �?Public factual data (prices, listings) is safer. Personal data triggers GDPR/CCPA.
  4. Authentication �?Data behind login is off-limits without authorization. Never scrape protected content.
  5. API available? �?If site offers an API, use it. Always. Scraping when API exists often violates ToS.

Legal Boundaries

  • Public data, no login �?Generally legal (hiQ v. LinkedIn 2022)
  • Bypassing barriers �?CFAA violation risk (Van Buren v. US 2021)
  • Ignoring robots.txt �?Gray area, often breaches ToS (Meta v. Bright Data 2024)
  • Personal data without consent �?GDPR/CCPA violation
  • Republishing copyrighted content �?Copyright infringement

Request Discipline

  • Rate limit: Minimum 2-3 seconds between requests. Faster = server strain = legal exposure.
  • User-Agent: Real browser string + contact email: Mozilla/5.0 ... (contact: you@email.com)
  • Respect 429: Exponential backoff. Ignoring 429s shows intent to harm.
  • Session reuse: Keep connections open to reduce server load.

Data Handling

  • Strip PII immediately �?Don't collect names, emails, phones unless legally justified.
  • No fingerprinting �?Don't combine data to identify individuals indirectly.
  • Minimize storage �?Cache only what you need, delete what you don't.
  • Audit trail �?Log what, when, where. Evidence of good faith if challenged.

SkillBoss API Hub Scraping

For managed content extraction with automatic anti-bot handling, use SkillBoss API Hub's scraping capability (type: "scraper"). Authenticate with SkillBoss_API_KEY and call https://api.SkillBoss.co/v1/pilot. Result is returned at result.data.markdown.

For code patterns, robots.txt parser, and SkillBoss API Hub scraping integration, see code.md

Comments

Loading comments...