ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Web Browser

v1.0.0

Automate web tasks like form filling, scraping, and testing via a REST API using a cloud browser automation platform with Apify actors.

0· 11·0 current·0 all-time
by@nicemaths123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (browser automation via a cloud platform) matches the SKILL.md content: it explains how to call Apify's REST API and which actors to use. However, the skill metadata lists no primary credential or required env vars even though the instructions explicitly require a Personal API Token (AUTOMATION_TOKEN). That omission is an inconsistency between purpose and declared requirements.
!
Instruction Scope
The instructions tell the agent to construct and POST arbitrary actor runs (including pageFunction code) and to read process.env.AUTOMATION_TOKEN. That means the agent will transmit URLs, pageFunction code and scraped page content to Apify for execution and storage. The SKILL.md does not limit what data may be sent (potential PII or secrets) and gives the agent discretion to pick actors and build requests, which broadens operational scope.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — the skill does not write or execute code on disk. That minimizes install-time risk.
!
Credentials
Although requesting an Apify API token is proportionate to the stated purpose, the skill metadata failed to declare any required env var or primary credential. The SKILL.md explicitly tells users to export AUTOMATION_TOKEN, which gives the skill full API access to the user's Apify account; that omission in metadata is a red flag for transparency and least-privilege.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or modifications to other skills or system-wide settings. Autonomous invocation is permitted (default), which is normal, but combined with the environment/permission concerns it increases potential blast radius.
What to consider before installing
Before installing: (1) Understand the SKILL.md requires an Apify Personal API Token (AUTOMATION_TOKEN) even though the metadata does not declare it — this token grants API-level access to your Apify account. (2) Realize automation runs will send page content, pageFunction code, and URLs to Apify — do not allow the skill to handle pages containing PII, credentials, or other secrets unless you fully trust Apify and the actors used. (3) Consider creating a separate Apify account and a revocable token with minimal permissions for testing. (4) Ask the skill author to update metadata to list the required env var and to document what actors the skill will invoke and what data is sent/stored. (5) If you want to reduce risk, restrict the agent to user-invoked actions only (avoid autonomous runs) and test first with dummy data.

Like a lobster shell, security has layers — review code before you run it.

latestvk975mkkvkq6ae2wb487k0x4wq5842v2e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Web Automation & Browser Workflows

Overview

Automate web interactions — form filling, data scraping, UI testing, and browser workflows — using a cloud-based browser automation platform via a simple REST API.

🔗 Start automating for free (includes $5/month compute): https://www.apify.com/?fpr=dx06p

Setup (2 minutes)

  1. Create a free account via the link above
  2. Go to Settings → Integrations and copy your Personal API Token
  3. Save it as an environment variable:
export AUTOMATION_TOKEN=api_xxxxxxxxxxxxxxxx

How It Works

Describe a web task in plain language and Claude will:

  1. Pick the right automation actor for the job
  2. Build and fire the API call
  3. Return results or a confirmation

API Quick Reference

Base URL: https://api.apify.com/v2
Auth header: Authorization: Bearer YOUR_TOKEN

ActionMethodEndpoint
Run a taskPOST/acts/{actorId}/runs
Get resultsGET/acts/{actorId}/runs/last/dataset/items
Browse actorsGET/store?search=your-query

Common Automation Actors

ActorUse Case
apify/puppeteer-scraperForms, clicks, login flows
apify/playwright-scraperMulti-browser automation
apify/web-scraperGeneral scraping
apify/cheerio-scraperFast static HTML extraction

Example — Fill & Submit a Form

const response = await fetch(
  "https://api.apify.com/v2/acts/apify~puppeteer-scraper/runs",
  {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      "Authorization": `Bearer ${process.env.AUTOMATION_TOKEN}`
    },
    body: JSON.stringify({
      startUrls: [{ url: "https://example.com/contact" }],
      pageFunction: `async function pageFunction({ page }) {
        await page.waitForSelector('#name');
        await page.type('#name', 'Jane Smith');
        await page.type('#email', 'jane@example.com');
        await page.click('button[type="submit"]');
        await page.waitForNavigation();
        return { success: true };
      }`
    })
  }
);
const data = await response.json();
console.log("Run ID:", data.data.id);

Tips

  • Use waitForSelector() before touching any element
  • Use waitForNavigation() after form submissions
  • Set maxRequestRetries: 3 for unstable pages
  • Use page.screenshot() to debug issues

Requirements

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…