Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
URL to PNG
v0.0.2Convert URL to PNG suitable for mobile reading.
⭐ 0· 1.1k·2 current·2 all-time
by@guoqiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the included scripts: url2png.sh invokes 'uvx shot-scraper' to capture a long/mobile screenshot and save it (default ~/Pictures). Requiring the 'uv' binary is coherent because the scripts call 'uvx' (uv launcher).
Instruction Scope
SKILL.md instructs the agent to run url2png.sh, locate the generated PNG, and send it as a file. The scripts only fetch the provided URL and save a screenshot; they do not attempt to read unrelated files, environment variables, or external endpoints beyond the target webpage and the installation downloads.
Install Mechanism
There is no registry install spec, but install.sh uses 'uvx shot-scraper install --browser chromium' which will download shot-scraper and Chromium (Playwright runtime). This is expected for a screenshot tool but involves network downloads and installing a browser runtime (large binary). The download sources are not shown here (delegated to uv/shot-scraper); verify 'uv' and 'shot-scraper' are trusted and that you accept the browser download.
Credentials
No environment variables, credentials, or config paths are requested. The skill does not ask for unrelated secrets. The lack of credentials is proportionate to its stated purpose.
Persistence & Privilege
The skill is marked always:true (force-included in every agent run). That is unnecessary for a small URL->PNG utility and increases the blast radius if the skill or its dependencies are compromised. Autonomous invocation is normal, but always:true should be justified or removed.
Scan Findings in Context
[no-findings] expected: Static scan found no regex hits. That is consistent with these small, clear shell scripts and an instruction-only approach, but absence of findings is not definitive assurance.
What to consider before installing
This skill appears to do exactly what it claims: it runs shot-scraper (via the uv tool) to capture a mobile-formatted PNG of a given URL. Before installing or enabling it everywhere, consider:
- Why is always:true set? That forces the skill to be included in every agent run; ask the maintainer to remove or justify this flag.
- The installer will download and install shot-scraper and a Chromium runtime — expect a large download and verify you trust 'uv' and 'shot-scraper' (and their default download sources). If you operate in a restricted environment, block or review those downloads first.
- The skill will load the target webpage (the user-supplied URL) in a browser; treat user-supplied URLs as untrusted content (could trigger remote requests, ads, trackers, or malicious pages). Limit who can provide URLs if that's a concern.
- There are no credential requests and scripts don't read other files, which is good. But if you need stronger assurance, ask for the canonical upstream repository or author verification and request removal of always:true prior to enabling globally.Like a lobster shell, security has layers — review code before you run it.
Long screenshotvk974exrj21bfqxh347hb0avtq580z8peLongshotvk974exrj21bfqxh347hb0avtq580z8peiPhonevk974exrj21bfqxh347hb0avtq580z8pelatestvk974exrj21bfqxh347hb0avtq580z8peplaywrightvk974exrj21bfqxh347hb0avtq580z8pescreenshotvk974exrj21bfqxh347hb0avtq580z8peshot-scrapervk974exrj21bfqxh347hb0avtq580z8peurl-to-pngvk974exrj21bfqxh347hb0avtq580z8peurl2pngvk974exrj21bfqxh347hb0avtq580z8pe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🦞 Clawdis
OSmacOS · Linux
Binsuv