Tabstack Extractor
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Tabstack API key would be used to authenticate requests and could be stored locally if you choose the config-file option.
The skill asks users to provide, and optionally store, a Tabstack API key. This is expected for the service integration, but it is still a sensitive credential and is not declared in the registry requirements.
export TABSTACK_API_KEY="your_api_key_here" ... echo '{:api-key "your_api_key_here"}' > ~/.config/tabstack/config.ednPrefer an environment variable, avoid committing the key to projects or shell history, and rotate the key if it is exposed.
URLs, schemas, and the resulting extraction requests are shared with Tabstack; private or internal URLs could reveal sensitive context.
The wrapper sends the user-provided URL and extraction schema to Tabstack's API. This is disclosed and central to the skill's purpose, but it is an external provider data flow.
TABSTACK_BASE_URL = "https://api.tabstack.ai/v1" ... requests.post(f"{TABSTACK_BASE_URL}/extract/json", headers=headers, json=payload, timeout=30)Only submit URLs and schemas you are comfortable sending to Tabstack, and avoid using this on private intranet pages or sensitive content unless approved.
Running this command would execute whatever installer is served from that GitHub branch at the time you run it.
The setup instructions recommend piping an unpinned remote installer from GitHub directly into bash. It is user-directed and disclosed, but it relies on remote code outside the reviewed artifact set.
curl -s https://raw.githubusercontent.com/babashka/babashka/master/install | bash
Install Babashka through a trusted package manager or inspect and pin the installer before running it.