ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Content Clipper

Extract and summarize web articles, 小红书, and Twitter content, then save clips to flomo via webhook or local markdown files with optional tags and summaries.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 67 · 0 current installs · 0 all-time installs
by@ma-tiezhu
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the code: it fetches a URL, extracts text, and either posts to a flomo webhook or writes a markdown file. No unrelated credentials or binaries are requested. One notable design choice: a hard-coded default FLOMO webhook is embedded in both SKILL.md and the script instead of forcing the user to configure their own.
!
Instruction Scope
The SKILL.md and script instruct the agent to fetch arbitrary URLs and then POST the clipped content to a webhook (default outgoing endpoint present). The script uses child_process execSync to run curl.exe with --noproxy '*' (explicitly bypassing proxies). Fetching arbitrary URLs from the agent runtime can be abused for SSRF (including local/internal IPs) and combined with the default webhook may cause sensitive content to be sent off-host. The SKILL.md does not warn about these risks or require the user to set their own webhook before use.
Install Mechanism
Instruction-only skill with an included script; there is no installer or remote download of code during install. No unusual install actions are present.
!
Credentials
No required env vars are declared, but the code honors FLOMO_WEBHOOK if set and otherwise uses a hard-coded webhook URL. That default endpoint will receive clipped content unless the user overrides it — this is disproportionate because the skill should not ship with someone else's webhook pre-filled. The script also tries to invoke curl.exe (and bypasses proxies), which can interact with system networking configuration in ways the user may not expect.
Persistence & Privilege
Skill does not request always:true, does not modify other skills or system-wide settings, and has normal agent-invocation behavior.
What to consider before installing
This skill implements the advertised clipping functionality, but take care before installing or running it. Key things to consider: - Default webhook: the script contains a hard-coded FLOMO webhook URL. If you run it without setting FLOMO_WEBHOOK yourself, clipped content will be posted to that third-party endpoint. Replace the default webhook with your own or set FLOMO_WEBHOOK before running. - SSRF / internal fetch risk: the skill will fetch any URL you provide. Do not allow it to fetch untrusted input (including internal network addresses like 127.0.0.1, 169.254.x.x, or intranet hosts) — an agent or user prompt could be crafted to make it fetch sensitive internal services. - Proxy bypass: the script calls curl.exe with --noproxy "*" on Windows, explicitly bypassing system proxies. This can circumvent corporate monitoring or network controls. If you run on Windows, review or remove that behavior. - Local file writes and paths: the markdown target will write to any path you provide. Avoid running the script as a privileged user and avoid output paths that could overwrite important files. - Review and modify before use: open scripts/clip.js and remove or replace the hard-coded webhook, remove the proxy-bypass flag, and add URL allowlisting/validation if you plan to run this in an environment with sensitive internal endpoints. If you want to allow autonomous agent invocation, constrain the agent's capability to call this skill or require manual approval to avoid unintended data exfiltration. If you want, I can suggest specific, small code changes to remove the default webhook, add URL validation/allowlisting, and remove proxy-bypass behavior.
scripts/clip.js:87
Shell command execution detected (child_process).
scripts/clip.js:11
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk974rsryjcnte9k3gd9xt0v0bn83778j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

content-clipper

Extract, summarize, and clip web content to note-taking services. Use when: (1) user shares a URL and wants a summary or key points extracted, (2) user wants to save/clip content to flomo, local markdown, or other note services, (3) user says "剪藏", "摘录", "存到flomo", "记到笔记", "clip this", "save to flomo", (4) user shares a 小红书/微信公众号/Twitter link and wants content extracted. Supports: web articles, 小红书 notes (text + video via screenshot), Twitter/X posts. Outputs to: flomo (webhook), local markdown files.

Usage

Clip to flomo

node <skill_dir>/scripts/clip.js --url "https://example.com" --target flomo

Clip to local markdown

node <skill_dir>/scripts/clip.js --url "https://example.com" --target markdown --output /path/to/file.md

Options

  • --url — URL to extract content from
  • --target — Output target: flomo or markdown (default: flomo)
  • --output — Output file path (for markdown target)
  • --summary — Also generate a summary
  • --tags — Comma-separated tags to add

Flomo Configuration

Set webhook URL in the script or via environment variable FLOMO_WEBHOOK. Default webhook (Candy): https://flomoapp.com/iwh/MTg4MTA/c6fceb66258d3cc5c527d82f283ba06a/

Notes

  • Windows: uses curl.exe --noproxy '*' for flomo webhook (proxy bypass needed)
  • 小红书: extracts text content; video notes use screenshot fallback
  • Twitter/X: extracts tweet text and media URLs

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…