v0.1.0

openclaw-skill-shorturl

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:29 AM.

Analysis

This appears to be a straightforward short-link generator, but it sends the provided URL to ShortURL.bot, so avoid using it with private or token-bearing links.

GuidanceThis skill is coherent and proportionate for generating short URLs. Use it only for links you are comfortable sending to ShortURL.bot, and avoid shortening URLs that contain secrets, private access tokens, or sensitive internal resources. Also make sure Node.js is installed if you want the script-based workflow to run.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

SKILL.md

node shorturl/scripts/shorten.js <长网址> [域名] [自定义后缀] ... 依赖 ... - Node.js

The skill clearly documents that it runs a local Node.js script, but the registry metadata declares no required binaries. This is an under-declared runtime dependency, not a hidden install step.

User impactThe skill may not work unless Node.js is already installed, even though the registry requirements do not list it.

RecommendationBefore installing or invoking the skill, confirm that Node.js is available if you intend the agent to run the included script.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/shorten.js

const apiUrl = 'https://www.shorturl.bot/api/urls/shorturl'; ... payload = JSON.stringify({ url: longUrl, domain: domain, backHalf: backHalf, memberId: memberId });

The script sends the user-provided long URL and short-link options to an external provider. This is purpose-aligned for a URL shortener, but users should understand the data leaves their local environment.

User impactAny URL submitted for shortening is shared with ShortURL.bot; if the URL contains private document paths, access tokens, invite links, or other sensitive query parameters, those details may be exposed to the service and embedded in the resulting short-link record.

RecommendationOnly shorten URLs that are safe to share with the shortening provider, and avoid links containing secrets, session tokens, or private one-time access parameters.