ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Diffbot Fetch

v1.0.0

Fetch and extract clean article content from any URL using the Diffbot Article API. Returns clean Markdown.

0· 57·0 current·0 all-time
byFlo@flobo3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description, SKILL.md, README, and fetch.py all consistently describe fetching article content via the Diffbot Article API — that purpose is coherent with the included code. However, the registry metadata claims no required environment variables or primary credential, which contradicts the code and SKILL.md that require DIFFBOT_API_KEY.
Instruction Scope
The runtime instructions only call the Diffbot Article API and format output as Markdown. The SKILL.md and fetch.py do not instruct reading unrelated files or other environment variables, nor do they contact endpoints other than api.diffbot.com. Usage examples are limited to invoking the included script.
Install Mechanism
This is an instruction-only skill (no installer) with a single included Python script. There are no download URLs or extract/install steps: low installation risk. The presence of a code file without an install spec is consistent with an instruction-only package.
!
Credentials
The code and SKILL.md require a DIFFBOT_API_KEY environment variable. The registry metadata, however, lists no required env vars or primary credential. That mismatch is disproportionate and could mislead users or automated policy checks. Aside from the Diffbot key, the script does not request other secrets.
Persistence & Privilege
The skill does not request persistent/always-on presence and does not modify other skills or system settings. It runs as a simple script and prints to stdout, so there are no elevated persistence privileges.
What to consider before installing
This skill appears to be a simple Diffbot API wrapper (fetch.py) that needs DIFFBOT_API_KEY, but the registry metadata incorrectly lists no required credentials. Before installing: - Confirm the registry/package owner and provenance (no homepage or known owner provided). Treat as unverified. - Expect to supply DIFFBOT_API_KEY; do not paste your secret into public places. Prefer a limited-scope or ephemeral Diffbot token if available. - Review fetch.py (included) yourself — it only contacts api.diffbot.com and prints article text, so it doesn't exfiltrate other data, but running code from unknown sources always has risk. - Ask the publisher to fix metadata to declare DIFFBOT_API_KEY explicitly (or remove the requirement if incorrect). If you will run this inside an automated agent that passes credentials, ensure policies/ACLs limit which skills receive the token.

Like a lobster shell, security has layers — review code before you run it.

latestvk9752rs1pr0efzaqa0d1qrgdsh83yzc2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments