ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Save All Resource

v1.0.0

打开一个可见浏览器,让用户手动浏览目标网站,并在浏览过程中持续监听同域原始响应内容,实时落盘到本地桌面目录。

0· 188·0 current·0 all-time
by@cnoder-wgh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask to open a visible browser and persist same-origin responses. The included scripts use puppeteer, listen to page responses, filter by same-origin and http/https, and write files to a Desktop directory — all are coherent and proportionate.
Instruction Scope
SKILL.md instructs running node scripts/main.js <url>, which the code implements. The script persistently saves any same-origin responses the user triggers (HTML, JS, CSS, images, JSON, fonts, etc.). This behavior is expected, but note it will store any sensitive content the user navigates to (including authenticated pages) on the local Desktop.
Install Mechanism
There is no packaged installer; SKILL.md tells the user to run npm install in the scripts directory. That installs puppeteer and its dependencies from the npm registry (a typical, traceable registry install). Puppeteer will also download a browser binary during install which is a large network download — expected but notable.
Credentials
The skill requests no environment variables, credentials, or config paths. It does write files into the user's Desktop (os.homedir()/Desktop/<domain>), which is appropriate for the stated purpose but means local filesystem write access is required.
Persistence & Privilege
always:false and there is no installation script that modifies other skills or system-wide configs. The skill runs locally when invoked and exits when the tab closes or on SIGINT as described.
Assessment
This skill appears to do what it says: it opens a visible browser and saves same-origin HTTP/HTTPS responses to a folder on your Desktop. Before installing or running it, consider: (1) npm install will download puppeteer and many dependencies and will fetch a browser binary — expect a large network/download and inspect package-lock.json if you want to audit dependencies; (2) anything you navigate while the script runs (including pages behind logins) will be saved locally — avoid visiting sensitive accounts or use an isolated/sandbox environment or a throwaway profile; (3) the saved files live on your Desktop (check disk usage and privacy); (4) if you need stronger assurance, run this in a VM/container or review the puppeteer dependency tree for unexpected postinstall scripts. Overall the skill is internally consistent and contains no obvious remote exfiltration or unexplained credential requests.

Like a lobster shell, security has layers — review code before you run it.

latestvk974kmghcc1qgapnhj0va013758354bg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments