ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crawl4ai

v1.0.0

AI-powered web scraping framework for extracting structured data from websites. Use when Codex needs to crawl, scrape, or extract data from web pages using AI-powered parsing, handle dynamic content, or work with complex HTML structures.

2· 1.9k·25 current·27 all-time
by@codylrn804
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (web scraping) align with the provided SKILL.md, API reference, examples, and helper scripts. All code and examples focus on crawling, JS execution, content extraction, and output formatting. The only mild surprise is that the example scripts import a 'crawl4ai' module but the package itself is not installed by the skill (there is no install spec) — the scripts are examples rather than an installer.
Instruction Scope
SKILL.md and reference docs instruct only on scraping tasks (dynamic JS handling, selector extraction, pagination, retries, custom JS injection). They do include powerful capabilities (arbitrary js_code injection into target pages, recommendations to use proxies/VPNs to bypass anti-bot protections), which are expected for a scraping framework but merit user caution. The instructions do not ask the agent to read unrelated system files or exfiltrate credentials.
Install Mechanism
No install spec is provided (instruction-only), which is low-risk. The package doesn't attempt to download or extract remote code. Note: example scripts are included but there is no installer that would place a 'crawl4ai' library on disk — the examples assume the environment already has a crawl4ai library available.
Credentials
The skill declares no required environment variables, credentials, or config paths. References to using proxies, residential proxies, or VPNs appear in troubleshooting notes (typical for scraping), but no secret tokens are requested by the skill itself.
Persistence & Privilege
The skill does not request persistent or platform-wide privileges (always:false). It does not modify other skills or system settings. Autonomous invocation is allowed (default) but that is normal for skills and not excessive here.
Assessment
This skill appears coherent for web scraping: examples, scripts, and docs all focus on extraction and dynamic content handling. Before installing or running: 1) Review the included Python scripts locally — they assume a 'crawl4ai' library is present but the skill doesn't install one for you. 2) Run any untrusted scraping code in a sandbox/container and inspect custom js_code before execution (it will run in the target page context). 3) Be mindful of legal and ethical limits (robots.txt, site terms, private/authenticated pages). 4) Avoid using or supplying production credentials or secret proxies unless you trust the source. 5) If you need the actual crawl4ai runtime, verify its origin and supply an approved package or vendor release rather than trusting unknown binaries.

Like a lobster shell, security has layers — review code before you run it.

latestvk979yxd3gxmzr4b29bjrgwtwgn80rs8v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments