ClawHub

Web Research Assistant

v0.1.0

AI-powered web research assistant that leverages BrowserAct API to supplement restricted web access by searching the internet for additional information. Designed for OpenClaw and Claude Code.

3· 2.2k·7 current·8 all-time
byHenk Nie@phheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code implements a BrowserAct MCP-based search against https://mcp.browseract.com/, which aligns with the 'BrowserAct' integration described. However the SKILL.md and metadata claim different required credentials (SKILL.md asks for BROWSERACT_API_KEY while the script actually requires BROWSERACT_MCP_TOKEN), and the documentation makes strong claims about bypassing reCAPTCHA, paywalls, and geo-blocking that go beyond a simple search wrapper.
!
Instruction Scope
SKILL.md instructs the user to supply a BrowserAct API key and promises features like 'built-in bypass mechanism' for human verification and breaking geo/IP restrictions and paywalls. The runtime instructions and the script itself do not show any local code that performs CAPTCHA/anti-bot circumvention — they rely entirely on the remote BrowserAct MCP service. That claimed capability (and the phrasing around bypassing protections) is a red flag for potential misuse and legal/ethical issues and should be justified by the publisher.
Install Mechanism
No install spec or external downloads; it's an instruction-only skill with a small Python script included. No archive downloads or external install URLs were observed.
!
Credentials
Metadata lists no required env vars, SKILL.md asks the user to provide BROWSERACT_API_KEY, but the script reads both BROWSERACT_API_KEY and BROWSERACT_MCP_TOKEN and actually fails if BROWSERACT_MCP_TOKEN is not set. BROWSERACT_API_KEY is read but unused. This env-var mismatch is incoherent and could lead users to supply the wrong secret or to inadvertently expose credentials. The skill asks for credentials but does not document which exact secret is required.
Persistence & Privilege
The skill is user-invocable and not always-enabled. It doesn't request persistent system privileges, does not modify other skills or system-wide configs, and does not attempt to run background services.
What to consider before installing
Do not provide secrets yet. The package has two problems that need clarification: (1) SKILL.md asks for BROWSERACT_API_KEY but the script will actually fail unless BROWSERACT_MCP_TOKEN is set; (2) the documentation explicitly claims the ability to bypass reCAPTCHA, paywalls, and geo-blocks — which poses legal/ethical risk even if implemented by a third-party service. Before installing or running, ask the publisher for: the exact credential name the skill expects, what the remote MCP service does (privacy/terms), and written justification for the bypass claims. Prefer testing in an isolated environment, and never paste unrelated credentials (AWS, GitHub, etc.). If you proceed, provide only a scoped API token (not reusable master keys) and confirm the service's legitimacy and terms-of-use.

Like a lobster shell, security has layers — review code before you run it.

latestvk975nghs9erhxeaf4b334yy4ns80sgjq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments