Snapshot to API
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent browser-optimization skill, but it uses your signed-in browser session to find and call page APIs, so use it only on sites and data you intend to access.
This skill appears safe for its stated purpose, but it should be used deliberately: it opens pages with the OpenClaw browser profile, discovers API calls, and makes read-oriented requests as the logged-in user. Avoid using it for write actions, sensitive accounts, or pages where endpoint parameters may contain secrets unless you review and redact what gets saved.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may make API requests using the current browser tab instead of reading the page UI.
The skill instructs the agent to call discovered API endpoints directly from the browser context. This is central to the skill's purpose and is framed as read-oriented, but users should notice that it bypasses the visual page workflow.
return fetch('<API_PATH>')
.then(r => r.json())Use this only for intended read-only data retrieval, verify the endpoint and method before calling it, and keep the documented snapshot fallback.
API calls may access the same data the signed-in browser account can access.
The workflow intentionally uses the existing browser profile and session cookies to authenticate API calls. That is expected for this skill, but it means requests are made with the user's logged-in access.
browser(action=open, url="<target_url>", profile=openclaw) Purpose: establish cookie/session auth.
Run it only in accounts and workspaces where the user wants the agent to inspect data, and avoid privileged or sensitive pages unless explicitly needed.
Discovered API paths, parameters, or response-shape notes could be reused in later tasks or exposed in persistent notes.
The skill encourages persisting discovered API details for later reuse. This is useful for optimization, but endpoint paths and parameters can contain sensitive identifiers or become stale.
Document the API — path, required params, response structure, environment differences 4. **Log to learnings** — record the discovery for future reference
Redact secrets, session-specific values, tenant IDs, or personal data before saving learnings, and include environment scope and fallback guidance.