Tabstack Extractor
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Tabstack web-extraction helper, but users should notice the external API data flow, API-key handling, and a few setup/documentation mismatches.
This skill is reasonable to use for intended web-extraction tasks. Before installing, use a trusted Babashka install method, confirm which included script you will actually run because `scripts/tabstack.clj` is missing, and avoid sending private URLs or secrets to Tabstack unless that data sharing is acceptable.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Tabstack API key would be used to authenticate requests and could be stored locally if you choose the config-file option.
The skill asks users to provide, and optionally store, a Tabstack API key. This is expected for the service integration, but it is still a sensitive credential and is not declared in the registry requirements.
export TABSTACK_API_KEY="your_api_key_here" ... echo '{:api-key "your_api_key_here"}' > ~/.config/tabstack/config.ednPrefer an environment variable, avoid committing the key to projects or shell history, and rotate the key if it is exposed.
URLs, schemas, and the resulting extraction requests are shared with Tabstack; private or internal URLs could reveal sensitive context.
The wrapper sends the user-provided URL and extraction schema to Tabstack's API. This is disclosed and central to the skill's purpose, but it is an external provider data flow.
TABSTACK_BASE_URL = "https://api.tabstack.ai/v1" ... requests.post(f"{TABSTACK_BASE_URL}/extract/json", headers=headers, json=payload, timeout=30)Only submit URLs and schemas you are comfortable sending to Tabstack, and avoid using this on private intranet pages or sensitive content unless approved.
Running this command would execute whatever installer is served from that GitHub branch at the time you run it.
The setup instructions recommend piping an unpinned remote installer from GitHub directly into bash. It is user-directed and disclosed, but it relies on remote code outside the reviewed artifact set.
curl -s https://raw.githubusercontent.com/babashka/babashka/master/install | bash
Install Babashka through a trusted package manager or inspect and pin the installer before running it.