ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pinterest Scraper

v1.1.0

Scrapes Pinterest boards, profiles, or search results with infinite scroll, image quality options, deduplication, resume support, and Telegram album sending.

0· 420·1 current·1 all-time
by@kexu9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Pinterest scraping, infinite scroll, Telegram delivery) match the code and SKILL.md. The script uses Playwright to drive a headless browser (expected for infinite scroll scraping) and requests for downloads/Telegram API — these are appropriate and proportional.
Instruction Scope
SKILL.md stays within the scraping scope: it instructs installing playwright/requests, running the script, and optionally providing Telegram token/chat. The skill writes a .scrape_state.json and scrape.log to the output folder (documented). Minor note: troubleshooting suggests using verify=False for requests (and the code already disables SSL verification for download calls), which weakens TLS checks and should be used cautiously.
Install Mechanism
No automatic install spec; it's instruction-only and the script relies on pip-installed packages (playwright, requests) and a Playwright browser install. This is low risk and expected for a Python scraper.
Credentials
No required environment variables or credentials are declared. Telegram integration takes a bot token and chat ID via CLI flags (appropriate). Note: passing secrets on the command line can expose them in shell history or process lists; the code does not read other unrelated env vars or credentials.
Persistence & Privilege
The skill does not request persistent/privileged platform presence (always:false). It stores state and logs under the user-specified output folder only, which is consistent with resume/dedup functionality.
Assessment
This skill appears to do what it says: scraping Pinterest and optionally sending images to Telegram. Before installing/running, consider: (1) TLS: the code disables SSL verification for downloads (verify=False) — this weakens security; avoid running on untrusted networks or modify the code to enable verification. (2) Secrets: supplying the Telegram bot token on the command line can expose it in shell history or process listings — prefer passing tokens via a protected file or environment variable (the script currently expects CLI flags). (3) Output data: the scraper writes images, a .scrape_state.json and scrape.log to the output folder; these may contain URLs or metadata you may not want to keep or share. (4) Legal/ethical: scraping Pinterest content may violate terms of service or copyright — ensure you have the right to download and distribute images. (5) Operational: Playwright will download a browser (chromium) and run headless; ensure your environment allows running headless browsers. If you want extra assurance, review/modify the script (enable SSL verification, change how tokens are provided, and inspect logging behavior) before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c20xxx4149wqj4mezs9gr7d8289tj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments