ClawHub

ScrapeFun

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This instruction-only skill is coherent and scoped to operating a local ScrapeFun server, but it can use an access key to submit downloads, finalize imports, and scan media libraries.

This appears safe to install if you intend OpenClaw to manage a local ScrapeFun server. Before installing, confirm the configured access key has only the permissions you want, and be careful with actions that submit downloads, rescan libraries, or finalize imports because those can change server-side media state.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Medium
What this means

If used incorrectly, the agent could submit unwanted downloads or trigger media import actions on the connected ScrapeFun server.

Why it was flagged

These endpoints can mutate the ScrapeFun server's download workflow and media organization. The behavior is disclosed and aligned with the skill purpose, but it is still operationally significant.

Skill content
`POST /api/openclaw/downloads/submit` ... `Use for offline download submission`; `POST /api/openclaw/media/:metadataId/finalize-import` ... `Use for post-download scan, organize, and verification`
Recommendation

Install only if you want OpenClaw to operate ScrapeFun downloads and imports, and review user requests before allowing actions that submit downloads, finalize imports, or force scans.

#ASI03: Identity and Privilege Abuse
Medium
What this means

Anyone or any agent with the configured key or token could perform the permitted ScrapeFun operations.

Why it was flagged

The skill uses authenticated access to a ScrapeFun server and may use a bearer token fallback. This is expected for the integration and includes permission checks, but it gives the agent delegated authority on that server.

Skill content
Preferred auth: `X-OpenClaw-Key: <access key>` ... Fallback auth: `POST /api/auth/login` ... Reuse `Authorization: Bearer <token>`
Recommendation

Use a least-privilege OpenClaw access key, avoid sharing admin login credentials unless necessary, and revoke or rotate the key if it is no longer needed.