Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tabstack Extractor
v0.1.0Extract structured data from websites using Tabstack API. Use when you need to scrape job listings, news articles, product pages, or any structured web content. Provides JSON schema-based extraction and clean markdown conversion. Requires TABSTACK_API_KEY environment variable.
⭐ 0· 1.8k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and included code (Python and curl wrappers) consistently target the Tabstack API (api.tabstack.ai). However the registry metadata lists no required environment variables or primary credential while the SKILL.md and all code require a TABSTACK_API_KEY — this mismatch is an important incoherence.
Instruction Scope
SKILL.md instructs use of a Babashka script 'scripts/tabstack.clj' (bb commands) and offers a configuration-file alternative, but the file manifest does not include tabstack.clj — only tabstack_api.py and tabstack_curl.sh are present. The runtime instructions therefore reference code that isn't bundled, granting the agent ambiguous discretion. Otherwise the instructions only read schema files and the TABSTACK_API_KEY and target api.tabstack.ai (no other external endpoints).
Install Mechanism
There is no formal install spec (instruction-only), which limits risk. SKILL.md recommends installing Babashka using a curl|bash command from a GitHub raw URL — that's a common but higher-risk install pattern (pipe-to-shell). The bundled code itself has no install/download steps and uses standard Python 'requests' and curl calls.
Credentials
All code and the SKILL.md expect a single TABSTACK_API_KEY, which is proportionate to the stated purpose. However the registry metadata does not declare this required env var or a primary credential — a mismatch that could confuse permission reviews or automation. No other secrets or unrelated env vars are requested.
Persistence & Privilege
The skill does not request always: true or other elevated persistence. It is user-invocable and allows normal autonomous invocation. It does not attempt to modify other skills or system configs.
What to consider before installing
What to check before installing:
- Confirm the TABSTACK_API_KEY requirement: the SKILL.md and both included wrappers require TABSTACK_API_KEY, but the registry metadata doesn't list it. Only provide an API key from a trusted Tabstack account and give it the minimum scope required.
- Inspect missing files: the docs instruct running bb scripts/tabstack.clj, but tabstack.clj is not present in the bundle. Ask the publisher why the referenced Babashka script is missing or obtain the correct bundle before running commands.
- Avoid running curl | bash blindly: the quick-start suggests installing Babashka via a curl-based install script. Prefer installing Babashka from your OS package manager or review the install script first.
- Review the shipped scripts yourself: the provided Python and bash wrappers post only to https://api.tabstack.ai/v1 and read local schema files; verify there are no hidden endpoints or credential leaks before use.
- Test with non-sensitive URLs/data first and verify network traffic (or run in an isolated environment) to ensure behavior matches expectations.
Confidence notes: assessment is medium confidence because the code present matches the stated purpose, but the missing referenced script and registry metadata mismatch are unresolved ambiguities. If the publisher provides the missing tabstack.clj or updates registry metadata to declare TABSTACK_API_KEY, this would reduce concern.Like a lobster shell, security has layers — review code before you run it.
latestvk977jfsvn858q7bfs1738jsd0s808ggm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.