Browser
v1.0.0Renders web pages and extracts clean, readable text content using SkillBoss API Hub's headless browsing and scraping capabilities.
⭐ 0· 35·0 current·0 all-time
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (headless rendering/scraping via SkillBoss API Hub) matches the code behavior (POST to a /v1/pilot scraper endpoint). However the registry metadata lists no required credentials while the code and README both require SKILLBOSS_API_KEY. The code targets https://api.heybossai.com/v1 which is not named in the registry or SKILL.md; missing/incorrect metadata is incoherent with the stated purpose.
Instruction Scope
SKILL.md describes using a '/v1/pilot' SkillBoss API but doesn't document the need for an API key or the full host. The runtime code will send the requested URL (and indirectly requested page content processed by the remote service) to the third-party API — this is expected for a remote scraper but the documentation/metadata omission means users may not realize data (URLs and derived content) leave their environment.
Install Mechanism
There is no install spec and only a small Node.js script (index.js). No archives or external installers are fetched by the skill itself. Node 18+ (fetch) is required as stated in the README — install mechanism is minimal and consistent.
Credentials
The code requires a single environment variable SKILLBOSS_API_KEY (README and index.js). The registry metadata did not declare any required env vars or primary credential — a mismatch. Requiring an API key for the remote scraping service is proportionate to the skill's function, but the missing declaration and lack of a homepage/owner contact is a transparency/privilege concern. Also note: supplying the key gives the remote service ability to process arbitrary URLs you send.
Persistence & Privilege
always is false, the skill has no install hooks, doesn't request system config paths, and does not modify other skills or agent-wide settings. No persistent elevated privileges are requested.
What to consider before installing
This skill itself appears to implement a legitimate remote scraping workflow, but the registry metadata is incomplete: index.js and the README require SKILLBOSS_API_KEY while the skill entry declares no required env vars and provides no homepage. Before installing, verify the author and the remote host (api.heybossai.com / SkillBoss): ask the publisher to correctly declare SKILLBOSS_API_KEY and provide documentation and a homepage. Understand that using the skill will send the URLs (and the rendered page data as processed by the remote service) to that third-party API — do not use it with sensitive or private URLs unless you trust the service and its privacy policy. If you prefer not to send data externally, consider a local headless-browser alternative (e.g., Puppeteer) or request clearer metadata from the maintainer.index.js:1
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latest
SKILL: Browser
This skill uses SkillBoss API Hub's web scraping capability to render web pages and extract clean, readable content.
SkillBoss Browser Automation
This is a custom skill generated by SkillBoss to handle headless web browsing.
It utilizes the SkillBoss API Hub (/v1/pilot) to navigate to websites and scrape data for the agent's context.
Usage
skillboss browser read <url> - Renders the page and returns its text content.
Comments
Loading comments...