Web Content Fetcher
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it says—fetch webpages through disclosed third-party services—but users should avoid sending private or tokenized URLs.
Install only if you are comfortable with webpage URLs being sent to r.jina.ai, markdown.new, or defuddle.md. Do not use it for private dashboards, signed links, intranet URLs, or URLs containing access tokens. Ensure curl is available if you plan to use the included scripts.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The external services can see the URL being fetched and may process the fetched page content.
The skill explicitly sends the requested URL to external content-conversion services.
`https://r.jina.ai/{url}` ... `https://markdown.new/{url}` ... `https://defuddle.md/{url}`Use this only for URLs you are comfortable sharing with those services, and avoid private links, signed URLs, or URLs containing secrets.
The skill may fail on systems without curl, or users may not realize it relies on a local command-line tool.
The included Python helper depends on the local curl binary, while the registry requirements declare no required binaries.
`subprocess.run(["curl", "-s", service_url], capture_output=True, text=True, timeout=30)`
Declare curl as a required binary or document the dependency clearly before installation.