ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

XPR Web Scraping

v0.2.11

Tools for fetching and extracting cleaned text, metadata, and links from single or multiple web pages with format options and link filtering.

0· 1.9k·12 current·13 all-time
by@paulgnz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (fetching, extracting text/links/metadata) match the actual tools and code: scrape_url, extract_links, scrape_multiple. No unrelated env vars, binaries, or services are requested.
Instruction Scope
SKILL.md describes limited scraping actions (single page, link extraction, multi-page up to 10). Instructions recommend rate-limiting and content-size limits and do not instruct access to unrelated files, credentials, or external endpoints beyond the target pages.
Install Mechanism
No install spec; skill is instruction-plus-code and relies on built-in Node fetch. No downloads, package registry installs, or archive extraction are present in the provided metadata.
Credentials
Skill requires no environment variables, credentials, or config paths. The code uses only network fetch and in-memory parsing; requested access is proportional to web-scraping functionality.
Persistence & Privilege
always is false and disable-model-invocation is false (normal). The skill does not request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed by platform default but not combined with other red flags.
Assessment
This skill appears to be a coherent, self-contained web scraper that doesn't request secrets or install external code. Before installing: (1) review the full src/index.ts (the provided snippet was truncated) to confirm there are no hidden network callbacks or logging endpoints; (2) ensure use complies with target sites' robots.txt, terms of service, and legal/privacy rules; (3) enforce rate limits and avoid scraping protected or paywalled content; (4) if you run in a sensitive environment, sandbox the skill (or review for any unexpected outbound endpoints) before enabling autonomous invocation.

Like a lobster shell, security has layers — review code before you run it.

extractionvk9747d799hshn53qcd0k30gfen813t5clatestvk9747d799hshn53qcd0k30gfen813t5cweb-scrapingvk9747d799hshn53qcd0k30gfen813t5cxprvk9747d799hshn53qcd0k30gfen813t5c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments