Tabstack Extractor
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: tabstack-extractor Version: 0.1.0 The skill's core functionality for web scraping via the Tabstack API appears benign, utilizing `api.tabstack.ai` as intended. However, the `SKILL.md` file contains a highly risky installation instruction for Babashka (`curl -s https://raw.githubusercontent.com/babashka/babashka/master/install | bash`). This method of executing remote scripts directly without integrity checks introduces a significant supply chain risk, as it could lead to arbitrary code execution if the remote script is compromised, making the skill suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Tabstack API key would be used to authenticate requests and could be stored locally if you choose the config-file option.
The skill asks users to provide, and optionally store, a Tabstack API key. This is expected for the service integration, but it is still a sensitive credential and is not declared in the registry requirements.
export TABSTACK_API_KEY="your_api_key_here" ... echo '{:api-key "your_api_key_here"}' > ~/.config/tabstack/config.ednPrefer an environment variable, avoid committing the key to projects or shell history, and rotate the key if it is exposed.
URLs, schemas, and the resulting extraction requests are shared with Tabstack; private or internal URLs could reveal sensitive context.
The wrapper sends the user-provided URL and extraction schema to Tabstack's API. This is disclosed and central to the skill's purpose, but it is an external provider data flow.
TABSTACK_BASE_URL = "https://api.tabstack.ai/v1" ... requests.post(f"{TABSTACK_BASE_URL}/extract/json", headers=headers, json=payload, timeout=30)Only submit URLs and schemas you are comfortable sending to Tabstack, and avoid using this on private intranet pages or sensitive content unless approved.
Running this command would execute whatever installer is served from that GitHub branch at the time you run it.
The setup instructions recommend piping an unpinned remote installer from GitHub directly into bash. It is user-directed and disclosed, but it relies on remote code outside the reviewed artifact set.
curl -s https://raw.githubusercontent.com/babashka/babashka/master/install | bash
Install Babashka through a trusted package manager or inspect and pin the installer before running it.