Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Web Scraper
v1.0.0Web scraping skill with JavaScript rendering support. Extract data from websites using CSS selectors, XPath, or AI-powered extraction.
⭐ 0· 73·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims JavaScript rendering support (Playwright/Puppeteer) and crawling features, but declares no required binaries, no environment variables, and provides no code or install spec. A scraping tool that needs browser automation would normally list Node/Python packages, a browser driver, or an install step; those are missing, which is disproportionate and incoherent.
Instruction Scope
SKILL.md instructs the agent to run 'python3 scripts/scrape.py' with various flags (rendering, crawling, AI extraction). There is no scripts/scrape.py in the bundle. The instructions therefore point to executing local code that doesn't exist. The doc also implies use of heavy runtime components (Playwright/Puppeteer) but gives no guidance on installing or sandboxing them.
Install Mechanism
There is no install spec. Given the stated features (JS rendering, Playwright/Puppeteer), an installation step is expected (pip/npm installs, browser binaries). The absence of an install mechanism leaves ambiguity about where the code would come from and how dependencies would be provisioned — increasing risk if an agent tries to fetch/install packages at runtime.
Credentials
The skill declares no environment variables or credentials, which is consistent with a simple, local scraper. However, it also omits declaring expected system binaries or package requirements (python, node, playwright browsers). If the scraper needs authentication for target sites, those credentials aren't declared. The lack of declared dependencies is the main proportionality issue.
Persistence & Privilege
always is false and there are no claims of modifying other skills or agent-wide config. Autonomous invocation is allowed (default) but that alone is not a red flag.
What to consider before installing
This skill is incomplete and ambiguous: it documents commands that run scripts/scrape.py and references Playwright/Puppeteer, but the package contains no code, no install instructions, and no trusted source URL. Before installing or enabling it: 1) ask the publisher for the source code or a real homepage/README and a dependency list (Python version, required pip packages or npm packages, Playwright/browser binaries); 2) require an explicit install spec or packaged binary from a trusted host (GitHub release, PyPI, npm) — do not allow the agent to fetch arbitrary URLs to satisfy missing deps; 3) verify the scripts/scrape.py file and inspect it for data exfiltration, credential access, or remote callbacks; 4) run the tool in a sandboxed environment first and avoid providing any site credentials until you confirm necessity; 5) consider legal/ethical constraints of scraping target sites and ensure the tool honors robots.txt and rate limits. Given the unknown source and the mismatch between claimed capabilities and the bundle contents, treat this skill as unready for production.Like a lobster shell, security has layers — review code before you run it.
latestvk97ezxq9ng6ev1cf2fwx69a2j583hkkk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.