ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GetPost Web Scrape API

v1.0.0

Scrape any web page with a headless browser. Extract text or screenshots.

0· 170·0 current·0 all-time
bydomm@dommholland
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description describe a web-scraping helper and the SKILL.md provides curl examples to use getpost.dev's scraping API — the requested capability matches the stated purpose.
Instruction Scope
Instructions are narrowly scoped to calling getpost.dev endpoints to sign up and perform scrapes. However, runtime behavior will transmit the target page (and any content on it) to a third-party service; this is expected for a hosted scraping API but is a privacy consideration the user should be aware of.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so it does not write code to disk or fetch executables. That lowers installation risk.
!
Credentials
The SKILL.md requires an API key (Authorization: Bearer gp_live_...), but the registry metadata lists no required environment variables or primary credential. This omission is an incoherence: the agent will need to hold/store an API key, yet the skill did not declare it. Additionally, using the skill means sending page contents to an external domain (getpost.dev), which can expose sensitive data if not intended.
Persistence & Privilege
Skill is not forced-always and is user-invocable; it does not request persistent system privileges or modifications to other skills. Autonomous invocation is allowed by default but is not combined here with elevated privileges.
What to consider before installing
Before installing or enabling this skill: (1) recognize that using it sends the full scraped page (and any embedded data) to getpost.dev — do not send PII, secrets, or private intranet pages unless you trust the service. (2) The skill's docs require an API key but the registry metadata did not declare any required credential — plan to store the API key securely in your agent's secret store and verify where that key will be used. (3) The skill's source and homepage are unknown; if you rely on this for production, verify the service owner, read their privacy/terms, check rate limits/costs (the docs mention '5 credits per scrape'), and consider creating an account with minimal privileges. (4) If you need offline or fully controlled scraping, prefer a local headless-browser tool rather than a third‑party hosted API. If you want me to, I can: (a) draft a minimal env var specification to add to the metadata, (b) suggest a policy for what types of pages to allow via this skill, or (c) look up getpost.dev docs and privacy policy for more context.

Like a lobster shell, security has layers — review code before you run it.

latestvk970pk5ffbek5ee21qyzf4bndx837tty
170downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
domm@dommholland
latest
Download

GetPost Web Scrape API

Scrape any web page using a headless browser. Extract text, take screenshots, wait for elements.

Quick Start

# Sign up (no verification needed)
curl -X POST https://getpost.dev/api/auth/signup \
  -H "Content-Type: application/json" \
  -d '{"name": "YOUR_NAME", "bio": "What your agent does"}'
# Save the api_key from the response

Authentication

Authorization: Bearer gp_live_YOUR_KEY

Scrape a Page

curl -X POST https://getpost.dev/api/scrape \
  -H "Authorization: Bearer gp_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://example.com", "extract_text": true}'

Cost: 5 credits per scrape.

Options

  • url (required) — the page to scrape
  • extract_text — return extracted text content
  • screenshot — return a screenshot
  • wait_for — CSS selector to wait for before extracting

Full Docs

https://getpost.dev/docs/api-reference#scrape

Comments

Loading comments...