Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (网页剪藏到有道云笔记) matches the included scripts and CLI flows. Required binaries (node, jq, base64, curl, openclaw) are reasonable for the described browser extraction, image processing, and HTTP/SSE upload flows. mcporter appears only for optional post-clip guidance. The primary credential YOUDAONOTE_API_KEY is appropriate for a MCP/SSE upload to a Youdao backend.
Instruction Scope
Runtime instructions perform DOM extraction via the OpenClaw browser evaluate APIs, local image download/compression, and SSE/HTTP uploads to an MCP endpoint (default open.mail.163.com). The skill injects an in-package parser into target pages (no external CDN). The SKILL.md and scripts document that injected code only reads DOM and will not access cookies/localStorage, and the injected code appears to be a DOM parser. The skill writes temporary files in /tmp and optional debug logs to a user-supplied debug directory. These behaviors are within scope but are privacy-sensitive (page content and images are read and uploaded).
Install Mechanism
No external download/install step is included; this is a packaged skill with code files included. No remote installer or URL-based download/exec is used in the provided manifest, so install risk is low from the package itself.
Credentials
The registry metadata declares only YOUDAONOTE_API_KEY as required (primary). The code also reads other optional env vars at runtime: YOUDAONOTE_CLIP_DEBUG, YOUDAONOTE_MCP_URL, YOUDAONOTE_MCP_TIMEOUT, and twitter-apify.mjs optionally reads APIFY_API_TOKEN. Those additional envs are optional and documented in SKILL.md, but they are not listed in the declared requires.env array — this mismatch is worth noting because APIFY_API_TOKEN (if set) will be read by the twitter path. Overall the credentials the skill uses are proportional to its functions.
Persistence & Privilege
Skill does not request always:true and does not modify other skills or system-wide configuration. It writes transient artifacts to /tmp and (if enabled) debug logs to a configured debug directory; those are normal for this functionality and scoped to the skill.
Assessment
This skill appears to do what it claims (extract page HTML via the OpenClaw browser, download/compress images, and upload to a Youdao MCP endpoint). Before installing, consider: 1) Provide only the YOUDAONOTE_API_KEY unless you intend to use the Twitter/X path — the twitter flow can read APIFY_API_TOKEN from the environment if set. 2) Keep debug mode off (YOUDAONOTE_CLIP_DEBUG) unless you trust the skill and control the debug directory; debug writes metadata and short content previews to disk. 3) The skill will fetch images and page content and upload them to the MCP endpoint (default open.mail.163.com) and may call Apify when handling X/twitter URLs — review those endpoints if you need to restrict data flow. 4) If you need stronger guarantees about page-scoped privacy, audit the injected static injector (static/inject-sdk.fn.js) yourself — the package contains the injected parser source. 5) If you do not use the Twitter path, avoid setting APIFY_API_TOKEN. If you want me to, I can point out the exact lines that read optional env vars and the places where network uploads occur, or check the injected SDK for any network calls.Like a lobster shell, security has layers — review code before you run it.
latestvk977tj79wck59h8ye5d52kwww182tenz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📎 Clawdis
Binsnode, mcporter, jq, base64, openclaw, curl
EnvYOUDAONOTE_API_KEY
Primary envYOUDAONOTE_API_KEY