Web Fetcher
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a purpose-aligned web fetching skill, but users should notice that it sends requested URLs to third-party conversion services and can optionally read an attached browser tab.
This skill is reasonable for public web pages and small, user-directed crawls. Before installing or using it, remember that URL conversion services may see the URLs you submit, and browser fallback should only be used on tabs you deliberately want the agent to inspect.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a URL contains private paths, access tokens, internal hostnames, or sensitive query parameters, those details may be sent to external services.
The helper builds requests to third-party URL-to-Markdown providers from the user-supplied URL, so the target URL is disclosed to those services.
METHODS = [ ('r.jina.ai', ...), ('markdown.new', ...), ('defuddle', ...) ]Use this skill mainly for public URLs, strip secrets from URLs before fetching, and avoid third-party fetch fallbacks for private or internal pages unless you intend to share that URL with the provider.
Attaching a logged-in or private tab may expose the visible page content to the agent for extraction or summarization.
The browser fallback can read content from a live user-controlled browser tab, which may include account-authenticated or otherwise private page content.
If the user is using the Chrome relay/extension, ask them to attach the tab and then inspect the live rendered page. Snapshot the page and extract only the needed fields.
Only attach tabs you intentionally want the agent to read, and prefer extracting the minimum fields needed from authenticated or sensitive pages.
Using the deterministic retry path runs local code that makes outbound web requests to the listed conversion services.
The skill documents running a bundled local Python helper. The helper source is included and its behavior is aligned with the web-fetching purpose.
python {baseDir}/scripts/fetch_url.py "https://example.com/article"Review the included helper if desired and run it only for URLs you intend to fetch through the documented services.