Ghostfetch
PassAudited by ClawScan on May 1, 2026.
Overview
Ghostfetch appears to be a coherent web-search and page-fetching skill, with disclosed but noteworthy network, install, cookie, and optional captcha-key behaviors.
This skill is reasonable for web research if you trust the ghostfetch binary/source. Before installing, review the pinned GitHub source or use a trusted binary, remember that fetches originate from your machine, use --no-cookies when you do not want persistent site state, and avoid passing API keys or sensitive URLs unless needed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Websites you fetch will receive requests from your machine or network, and agents could fetch URLs you did not intend if you allow autonomous use.
The skill can make arbitrary outbound page fetches, including parallel requests, from the user's environment. This is core to the stated purpose and clearly disclosed.
ghostfetch fetch url1 url2 url3 -p 3 ... All network requests go directly from your machine
Use it for intended research tasks, review URLs before fetching sensitive or internal resources, and keep parallelism and timeouts reasonable.
Installing the skill through this script means trusting the referenced repository and pinned commit.
The setup script builds and installs a binary from a remote GitHub repository. The commit is pinned and verified, which reduces supply-chain risk, but the installed executable still comes from remote source.
REPO_URL="https://github.com/neothelobster/ghostfetch.git" ... PINNED_COMMIT="6e6876a90470d4bb53e38be32e8f43e67b695b48" ... go build -o ghostfetch .
Inspect the referenced source or use a trusted preinstalled binary before running the setup script.
If you provide a captcha API key, the tool may use that provider account and the key could be exposed through command-line handling or logs depending on how it is invoked.
The skill documents optional use of a captcha-service API key even though no credential is required by default. This is purpose-aligned but involves a third-party credential if used.
`--captcha-service` ... Captcha service: 2captcha, anticaptcha ... `--captcha-key` ... Captcha service API key
Only provide a captcha key when necessary, use a limited-scope key if possible, and avoid placing secrets in shared command logs.
Fetched-site cookies or response metadata could persist locally or be shown to the agent when JSON output is used.
The documentation indicates cookies may persist by default and may be printed in JSON output. This is disclosed, but cookie state can be retained or enter the agent context.
`--no-cookies` | | false | Disable cookie persistence ... `--json` ... JSON with body, status, headers, cookies
Use --no-cookies for stateless fetching and avoid --json on pages where cookies or headers may be sensitive.