Skillv1.0.0

ClawScan security

URL Fetcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:17 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is coherent with its stated purpose (fetching and basic HTML→MD conversion) but several security claims in the docs are incompletely or incorrectly implemented (notably internal-host blocking and path restrictions), so you should review or sandbox it before use.
Guidance: This skill appears to do what it says (fetch pages, basic HTML→MD conversion) and uses only Python stdlib, but its security checks are incomplete. Before installing or enabling autonomous use: - Review the code yourself (or have a developer do so). Pay attention to the URL validation and path checks. - Do not allow the agent to fetch arbitrary user-provided URLs without restrictions — the script does not prevent requests to private IP ranges or domains that resolve to internal addresses (SSRF risk). - Prefer running the script in a sandbox or container and avoid giving it broad autonomous invocation rights for open-ended inputs. - If you plan to save output files, prefer restricting outputs to a dedicated workspace directory (remove Path.home() from SAFE_PATHS or replace it with a specific workspace path) and implement robust path checks (resolve and ensure the final path is inside an allowlist directory; avoid substring-based blocklists). - Consider hardening URL checks: resolve hostnames and validate the resulting IP is public; explicitly block 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, link-local and other reserved ranges. If you cannot review/modify the code, treat this skill as untrusted and run only in an isolated environment. These weaknesses look like sloppy/insufficient validation rather than intentional harm, but they materially increase risk, so exercise caution.

Review Dimensions

Purpose & Capability: okName, SKILL.md, and the included script are aligned: the code fetches HTTP/HTTPS pages, can convert basic HTML to markdown, and can write output files. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: concernSKILL.md claims robust URL and path validation and blocks internal hosts. The script attempts such checks, but they are incomplete: it only blocks a short hostname list (localhost, 127.0.0.1, ::1, 0.0.0.0) and does not detect or block private IP ranges (10/8, 172.16/12, 192.168/16) or domains that resolve to internal addresses — so SSRF / internal scanning risks remain. Path validation allows any path under the user's home directory (Path.home()), relying on substring checks to exclude some dotfiles; substring blocking is brittle and can be bypassed. The skill does not access any other system files/credentials, nor does SKILL.md instruct the agent to do so.
Install Mechanism: okNo install spec and no external package downloads; the bundle contains a Python script using only the stdlib. This is low-risk versus remote installers or archives.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The script performs network requests only to user-provided URLs and writes to user-supplied file paths, which is proportional to its purpose.
Persistence & Privilege: okThe skill is not forced-always, and it does not modify other skills or global agent settings. Autonomous invocation is allowed by default but not by itself a reason for concern; consider limiting autonomous URL fetching if you plan to enable it.