Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
webfetch
v0.1.1网页内容抓取工具。使用 webfetch CLI 抓取网页内容并转换为 Markdown、文本或 HTML 格式。触发场景:用户要求抓取网页、获取网页内容、网页转 Markdown、网页转文本、下载网页。
⭐ 0· 120·0 current·0 all-time
by一个有毅力的吃货@lyhue1991
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the behavior: the SKILL.md only documents invoking a webfetch CLI to fetch and format web pages. Required resources (proxy env vars, optionally installing webfetch) are coherent with that purpose.
Instruction Scope
Runtime instructions are limited to running the webfetch binary, checking installation (command -v), optionally installing via npm, and simple network/debug commands (curl, printenv for proxy vars). They do not request unrelated files or secrets. Note: the doc explicitly recommends the --insecure flag to skip TLS verification — this is functional but weakens security if used.
Install Mechanism
There is no formal install spec in the skill bundle, but SKILL.md suggests 'npm install -g @lyhue1991/webfetch'. Installing a global npm package is a reasonable way to obtain the CLI, but it pulls code from an individual npm namespace (not a known vendor), which is a moderate risk because it will execute/install remote code on the host.
Credentials
The instructions only reference standard proxy environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY) and recommend setting them when needed. No unrelated credentials or sensitive env vars are requested.
Persistence & Privilege
The skill does not request always-on presence or elevated platform privileges. However, following the doc may lead a user to perform a global npm install, which creates a persistent binary on the system; that's expected for a CLI wrapper but is a persistence action the user should consciously approve.
Assessment
This skill is coherent with its goal of invoking a webfetch CLI. Before installing/using it: (1) prefer to inspect the npm package (@lyhue1991/webfetch) and its repository/readme to confirm the publisher and review code or npm audit results; (2) avoid running npm install -g unless you trust the package—consider installing locally or in a container/VM; (3) avoid using --insecure unless absolutely necessary for testing (it disables TLS checks); and (4) when printing environment variables, restrict checks to proxy vars as shown rather than running printenv without arguments. If you want higher assurance, ask the author/source for a verified homepage or a signed release.Like a lobster shell, security has layers — review code before you run it.
latestvk97b4rbvff96rd1cz6tbzfn59s83ac8h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.