AI Data Scraper
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ai-data-scraper Version: 1.0.0 The `main.sh` script contains a critical shell injection vulnerability. The `$URL` and `$API_URL` variables are directly used within `curl -sL "$URL" --compressed` without proper sanitization, allowing an attacker to inject arbitrary shell commands if they can control the input URL. While the script's stated purpose is benign (data scraping), this flaw enables remote code execution. Additionally, the script has functional bugs, including a mismatch in argument parsing between `main.sh` and `SKILL.md`/`package.json`, and calls to undefined `log_info`/`log_error` functions, which would cause it to fail.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on unsafe or unintended targets, the skill could fetch and store data from places the user did not mean to access.
The script fetches whatever URL/API value it is given and saves the response locally. This is purpose-aligned for a scraper, but it is broad network-fetching capability without visible scheme, domain, or target restrictions.
local data=$(curl -sL "$URL" --compressed) ... echo "$data" > "$output_file"
Use it only with authorized http(s) URLs or APIs, and review generated files before sharing them.
The skill may fail or behave differently depending on whether curl is available in the environment.
The script has a runtime dependency on curl, while the registry requirements declare no required binaries. This is an under-declared dependency rather than hidden installation behavior.
if ! command -v curl &> /dev/null; then
log_error "curl not installed"Confirm curl is installed and consider updating metadata to declare the dependency.
Users may assume reliability, monitoring, or anti-duplication features exist when they are not shown in the provided artifacts.
The documentation advertises proxy pools, retries, deduplication, and real-time monitoring, but the supplied script only performs direct curl fetches and local writes. This is a capability overstatement, not evidence of hidden behavior.
- ✅ 代理池支持 - ✅ 自动重试 - ✅ 数据去重 - ✅ 实时监控
Do not rely on the advertised advanced features unless they are implemented and reviewed.