Back to skill
Skillv1.1.1
ClawScan security
网页内容提取 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 11:54 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill appears to do what it claims (fetch a URL and extract readable text) and does not request credentials or call unexpected endpoints; the only notable issue is a minor dependency/documentation mismatch.
- Guidance
- This skill appears coherent and low-risk: it only fetches the URL you provide and extracts text locally. Before installing, note: (1) SKILL.md mentions the 'requests' package but the script uses urllib — you do not need to provide API keys or credentials; (2) the skill will make network requests to any URL you pass, so avoid running it on untrusted or internal URLs you don't want fetched; (3) the extractor is simple and may not perfectly remove all ads or boilerplate; (4) the package comes from an unknown source — if you plan to run it on sensitive systems, review the script locally (it’s small and readable) or run it in a sandboxed environment.
Review Dimensions
- Purpose & Capability
- noteName/description (网页内容提取) match the included script: the Python tool fetches a provided URL and extracts readable text while skipping common structural tags. One minor mismatch: SKILL.md lists 'requests' as a dependency but the script uses urllib.request and does not import requests.
- Instruction Scope
- okSKILL.md instructs the agent to run 'python3 scripts/readability.py <URL>'. The script only fetches the given URL, parses HTML locally, and prints results. It does not read local files, environment variables, or transmit data to third-party endpoints beyond the requested URL.
- Install Mechanism
- okNo install spec — instruction-only with a bundled Python script. No downloads or external installers invoked by the skill itself.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The script uses certifi for SSL verification; this is proportionate to its network fetch behavior.
- Persistence & Privilege
- okSkill is not always-enabled and uses normal autonomous invocation defaults. It does not modify other skills or request persistent system-wide privileges.