ClawHub
Back to skill
v1.0.0

StripFeed

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:17 AM.

Analysis

StripFeed is a coherent URL-to-Markdown API wrapper, but users should remember that requested URLs and fetched content are sent to StripFeed and may be cached.

GuidanceThis skill appears safe for its advertised purpose. Before installing, make sure you are comfortable sending requested URLs and fetched page content to StripFeed, protect the STRIPFEED_API_KEY, and avoid using it on private or secret-bearing URLs unless you trust the service's handling and caching policies.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
SKILL.md
curl -s "https://www.stripfeed.dev/api/v1/fetch?url=URL_HERE" \

The skill instructs the agent to use curl with a target URL parameter. This is central to the stated purpose, but the URL should be encoded and treated as user-controlled input.

User impactThe agent may make network requests to StripFeed for URLs it is asked to read, which can consume API quota and disclose the requested URL to the provider.
RecommendationUse the skill for intended web-reading tasks, avoid placing secrets in URLs, and ensure target URLs are properly URL-encoded before use.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
All requests require the `STRIPFEED_API_KEY` environment variable. Pass it as a Bearer token:

The skill requires an API key and sends it as a bearer token to StripFeed. This is expected for the service and no artifact shows hardcoding or leakage.

User impactAnyone or any agent process with access to this environment variable can use the associated StripFeed account and quota.
RecommendationStore the API key securely, limit access to the environment variable, and monitor usage/quota in the StripFeed account.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Responses are cached for 1 hour by default. Use `cache=false` for real-time content.

The provider-side service may cache fetched responses. This is disclosed and purpose-aligned, but it affects how sensitive URLs or fetched content should be handled.

User impactURLs and page content submitted through the service may be processed and temporarily cached by StripFeed.
RecommendationPrefer this skill for public or non-sensitive pages; avoid private, signed, or token-bearing URLs unless you have reviewed StripFeed's privacy and caching behavior.