AnyLink to Note
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for turning user-shared public links into notes, but it uses third-party fetching and local browser/command tooling that users should understand.
This skill appears safe for its stated purpose of summarizing public/shared links. Before using it, be aware that general webpage extraction may send the URL to Jina Reader, and Get-note extraction may open the URL in a local headless browser. Avoid private, internal, login-only, or secret-token links unless you are comfortable with that processing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user supplies a private or token-bearing link, that link may be sent to a third-party reader service.
The skill discloses that WeChat/general webpage extraction uses the external Jina Reader service, meaning the submitted URL and fetched page content may be processed by that provider.
const res = await fetch(`https://r.jina.ai/${encodeURIComponent(url)}`, { headers: { Accept: 'application/json' } });Use this skill primarily with public links, and avoid sharing private, internal, or secret-token URLs unless third-party processing is acceptable.
Opening arbitrary links in a local headless browser can contact sites chosen by the input URL, including non-public destinations if the user provides them.
The included helper launches Playwright and browses a command-line URL. This is aligned with extracting shared Get notes, but it is still local browser automation against user-supplied links.
const url = process.argv[2]; ... await page.goto(url, { waitUntil: 'domcontentloaded', timeout: 25000 });Only provide links you intend to fetch, and keep the workflow limited to public/shared note URLs rather than internal or sensitive addresses.
Users may need to install or provide Playwright/Chromium themselves, so dependency provenance and versioning are not managed by the skill package.
The skill documents a Playwright/Chromium runtime dependency, while the registry shows no install spec or required binaries. This is not suspicious by itself, but setup is left to the user environment.
Playwright 环境:Get 笔记提取依赖 Chromium,需确保已安装 `npx playwright install chromium`。
Install Playwright/Chromium only from trusted package sources and consider pinning versions in a controlled environment.