Jarvis MCP HTML Extractor
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is a simple web-scraping MCP wrapper and appears coherent, but it relies on an external global npm package that was not included for review.
This skill appears safe to review as a normal web-scraping MCP integration. Before installing, confirm that the npm package html-extractor-mcp is the package you intend to trust, and be careful about which URLs you allow the agent to fetch.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The installed npm package will run as local code on the user's machine when used, so trust in the package source matters.
The skill asks the user to install an external npm package globally, while the reviewed artifact set contains only SKILL.md and no package code or lockfile.
npm install -g html-extractor-mcp
Verify the npm package, maintainer, and version before installing; consider pinning a version or testing in an isolated environment.
If used carelessly, the tool could fetch unintended, private, or internal URLs as part of an agent task.
The skill exposes a URL-fetching MCP command. This is expected for web scraping, but it means the agent can request web content through the installed tool.
mcporter call --stdio "html-extractor-mcp" fetch url="https://example.com"
Use it only for intended URLs and avoid giving the agent broad permission to fetch sensitive internal resources unless that is explicitly desired.