ClawHub
Back to skill
v1.0.0

web-search-scraper-api-skill

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:50 AM.

Analysis

This skill appears to do what it says—send a user-provided URL to BrowserAct and print extracted Markdown—but users should understand it uses a BrowserAct API key and a third-party scraping workflow.

GuidanceThis looks reasonable for public webpage-to-Markdown extraction. Before installing, be comfortable using a BrowserAct API key, set the key securely as an environment variable, and only provide URLs you are allowed to scrape and willing to send to BrowserAct.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
The website URL to extract content from. Supports any HTTP/HTTPS URL.

The skill is intentionally broad and can direct a scraping API at any user-supplied web URL.

User impactUsers could accidentally scrape restricted, private, or terms-sensitive pages if they provide such URLs.
RecommendationUse it only for URLs you are authorized to access and scrape; avoid login-only, private, or restricted content unless you have permission.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
scripts/web_search_scraper_api.py
TEMPLATE_ID = "85961818557645714" ... API_BASE_URL = "https://api.browseract.com/v2/workflow"

The actual extraction work is delegated to a remote BrowserAct workflow template identified by ID, rather than fully implemented in the local artifact.

User impactThe user relies on BrowserAct and that remote workflow template behaving as expected.
RecommendationVerify the BrowserAct provider/workflow in your account and monitor API usage, especially before using it with important or sensitive URLs.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/web_search_scraper_api.py
api_key = os.getenv("BROWSERACT_API_KEY") ... headers = {"Authorization": f"Bearer {api_key}"}

The script reads a BrowserAct API key from the environment and uses it as a bearer token for BrowserAct API requests.

User impactThe BrowserAct key may authorize account usage or billing, so exposing it could let others use the account.
RecommendationPrefer setting BROWSERACT_API_KEY as an environment variable, avoid pasting keys into chat when possible, and rotate the key if it is exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/web_search_scraper_api.py
{"name": "target_url", "value": target_url} ... requests.post(f"{API_BASE_URL}/run-task-by-template", json=payload, headers=headers)

The user-provided target URL is sent to the external BrowserAct API to run the scraping workflow.

User impactPrivate or sensitive URLs, and potentially their fetched page content, may be processed by BrowserAct.
RecommendationDo not submit sensitive private URLs unless you are comfortable with BrowserAct processing them and have reviewed the provider's privacy and retention terms.