Wget Tool
PendingVirusTotal audit pending.
Overview
No VirusTotal analysis has been recorded yet. File reputation checks will appear here once the artifact hash has been scanned.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may rely on advertised safeguards or options that are not actually present, leading to failed downloads or unsafe assumptions about behavior.
The included implementation only parses a URL and a fragile `-O` option before calling `urlretrieve`, while SKILL.md advertises resume, recursive mirroring, rate limiting, retries, timeout, headers, and JSON output.
if a == '-O': output = sys.argv[i+3]
elif not a.startswith('-'): url = a
...
urllib.request.urlretrieve(url, output or os.path.basename(url))Align SKILL.md with the actual implementation, or implement and test the advertised options before publishing.
The agent may fail to run the intended code or may invoke an unexpected local command named `wget-tool` if one exists in the environment.
SKILL.md instructs use of a `wget-tool` command, but the artifacts do not install or declare that command and do not clearly connect it to `scripts/wget.py`.
No install spec — this is an instruction-only skill.
Provide a clear reviewed entrypoint, declare required binaries, and ensure the documented command maps to the included implementation.
If used carelessly, it could download untrusted files, overwrite chosen paths, or consume storage/bandwidth.
The skill is meant to download web content and write it to local files, including potentially many files when mirroring.
-O, --output FILE Save to specific filename -r, --recursive Download recursively -P, --directory-prefix DIR Save files under directory
Use only trusted URLs, choose safe output directories, and review downloaded files before opening or executing them.
Tokens passed on a command line may be exposed through shell history, logs, or process listings, depending on the environment.
The documentation encourages passing authentication material in custom HTTP headers, which is expected for private downloads but is sensitive.
--header "Authorization: Bearer token123" ... - **Custom headers** — authentication, API tokens, referrers
Use short-lived, least-privilege tokens and avoid placing real secrets directly in reusable command examples or shared logs.