Oxylabs AI Studio — Web Scraper, Crawler & Browser Agent
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a straightforward Oxylabs scraping and browser-automation wrapper, with the main things to review being the Python package installation and use of your Oxylabs API key.
Before installing, review the setup script, preferably install the SDK in a virtual environment, and provide only an Oxylabs API key you are comfortable using for these tasks. Use the browser and crawler tools only on sites you are authorized to access, and avoid delegating purchases, postings, account changes, or private-data scraping without explicit confirmation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user asks for form submissions, clicks, or other website interactions, the browser agent may perform them through the Oxylabs service.
The browser tool is intentionally capable of interactive website automation, which is central to the skill but broader than simple page fetching.
"""Oxylabs Browser Agent: navigate and interact with websites like a human."""
Use the browser agent only for authorized websites and require clear user confirmation before login, purchase, posting, account-change, or other irreversible actions.
Running setup can modify the local Python environment and depends on the package currently published under that name.
The setup script installs an unpinned third-party Python package and first attempts to bypass externally managed Python package protections.
pip3 install oxylabs-ai-studio --break-system-packages --quiet 2>/dev/null || pip3 install oxylabs-ai-studio --quiet 2>/dev/null
Prefer installing in a virtual environment, review the package source/provenance, and pin a known-good version if reproducibility matters.
Setup may traverse many local directories, which can be slow or broader than expected for plugin detection.
The setup script searches from the filesystem root to detect an existing native plugin. It only looks for a filename pattern, but the search scope is broad.
NATIVE=$(find / -name "*oxylabs-ai-studio-openclaw-web-fetch*" -type f 2>/dev/null | head -1)
Run setup deliberately and consider narrowing the search to known OpenClaw plugin directories in future versions.
Requests made by the skill may consume credits or otherwise act under the user's Oxylabs account.
The skill reads the Oxylabs API key from the environment and uses it to create Oxylabs SDK clients, which is expected for this integration.
api_key = os.getenv("OXYLABS_API_KEY", "")Use an API key intended for this purpose, monitor account usage, and revoke or rotate the key if it is no longer needed.
Target URLs, prompts, queries, and extracted website content may be visible to or processed by the provider as part of normal operation.
The crawler passes the target URL and user prompt into the Oxylabs SDK, meaning task details are processed by the external Oxylabs service.
result = crawler.crawl(url=url, user_prompt=prompt, output_format="markdown")
Avoid sending private, confidential, or unauthorized targets unless that use is acceptable under Oxylabs' terms and the user's data-handling expectations.