ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

StripFeed

v1.0.0

Fetch any URL as clean, AI-ready Markdown with token counts and caching. Strip ads, nav, scripts, and noise from web pages.

0· 338·0 current·0 all-time
byAtlas@atlasopenclaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (curl), and required env var (STRIPFEED_API_KEY) align with a simple HTTP-based API client for stripfeed.dev. The declared primary credential matches the documented Authentication section in SKILL.md.
Instruction Scope
SKILL.md instructs the agent to POST/GET URLs to https://www.stripfeed.dev endpoints and return Markdown/JSON. This is exactly the skill's purpose, but it means the agent will transmit the full target URL (and the page content it fetches) to an external service. There are no instructions to read local files, other env vars, or unrelated system state.
Install Mechanism
Instruction-only skill with no install steps and a simple runtime dependency (curl). No downloads, no extracted archives, no extra packages — low install risk.
Credentials
Only a single API key (STRIPFEED_API_KEY) is required, which is proportionate to calling a hosted API. No unrelated credentials, config paths, or excessive env variables are requested.
Persistence & Privilege
The skill does not request always:true or other elevated persistent privileges. It does allow normal autonomous invocation (platform default). Because the skill sends URLs/contents to a third-party API, autonomous or frequent invocation could leak sensitive page contents if the agent is allowed to call the skill without tighter guardrails.
Assessment
This skill appears to do what it says: it calls an external API to convert web pages to cleaned Markdown and needs an API key. Before installing, consider: (1) privacy — any URL you give it (including pages behind auth or with private querystrings) will be sent to stripfeed.dev; don't send sensitive internal pages or pages with secrets. (2) API key provenance — only use a key you control and understand the service's terms/privacy policy (https://www.stripfeed.dev). (3) autonomous use — if you allow agents to call skills autonomously, limit scope or require confirmation so the agent doesn't accidentally send many or sensitive URLs. (4) test with public pages first and monitor usage/rate limits. If you need to avoid third-party exposure, ask whether a self-hosted or local HTML-to-Markdown approach would be more appropriate.

Like a lobster shell, security has layers — review code before you run it.

latestvk97djjk09a5mp44qpv5hnsabrn824d15

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📄 Clawdis
Binscurl
EnvSTRIPFEED_API_KEY
Primary envSTRIPFEED_API_KEY

Comments