Code Pluginsource linked
ScrapeBadgerv1.0.0
OpenClaw plugin for ScrapeBadger — Twitter/X, Vinted, and web scraping tools
Community code plugin. Review compatibility and verification before install.openclaw plugins install clawhub:@scrapebadger/openclaw-pluginLatest release: v1.0.0Download zip
Capabilities
- Tags
- configSchema
- Yes
- Executes code
- Yes
- HTTP routes
- 0
- Runtime ID
- scrapebadger
Compatibility
- Built With Open Claw Version
- 2026.3.26
- Plugin Api Range
- >=2026.3.24
- Plugin Sdk Version
- 2026.3.26
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The source code implements scraping tools for Twitter/X, Vinted, and general web scraping and uses a SCRAPEBADGER_API_KEY to call scrapebadger.com — this is coherent with the plugin's stated purpose. However, the registry metadata at the top of the report lists 'Required env vars: none' while openclaw.plugin.json declares SCRAPEBADGER_API_KEY as required, which is an inconsistency.
Instruction Scope
There is no explicit SKILL.md with runtime instructions — the provided SKILL.md content appears to be the package.json manifest rather than human-readable runtime guidance. The plugin code does network calls (fetch) to the ScrapeBadger API and will accept arbitrary URLs to scrape (expected for this tool), but the missing/incorrect SKILL.md means install-time or runtime behavior and expected trust boundaries are not documented properly.
Install Mechanism
No install spec is provided (instruction-only-style), dependencies are minimal (@sinclair/typebox, TypeScript dev dep). No external downloads or extract steps are present in the package files, so there is no high-risk install mechanism in the bundle itself.
Credentials
The code legitimately requires a SCRAPEBADGER_API_KEY (and optionally SCRAPEBADGER_API_URL) to contact the service; that credential is proportionate to the stated functionality. The inconsistency between the top-level 'Required env vars: none' and openclaw.plugin.json's 'requires.env' is misleading and should be corrected before trusting the package metadata.
Persistence & Privilege
The plugin does not request always:true, does not modify other skills, and does not request system-wide privileges. It performs network calls to the ScrapeBadger API only when its tools are invoked.
What to consider before installing
This package's code implements exactly what it claims — a client for scrapebadger.com that scrapes Twitter/X, Vinted, and arbitrary web pages — and it requires a SCRAPEBADGER_API_KEY. However: (1) the package metadata/SKILL.md appears inconsistent or missing (the manifest is shown where runtime instructions should be), so documentation and expected behavior are unclear; (2) the plugin will make network requests to scrapebadger.com and can be asked to fetch arbitrary URLs, which can expose scraped data to that service; (3) confirm you trust scrapebadger.com and limit the API key's permissions; prefer supplying the API key via the plugin config (openclaw.plugin.json supports apiKey) rather than broad environment variable usage; and (4) if you need higher assurance, ask the author for a proper SKILL.md describing runtime behavior, or audit the packaged dist files and the referenced repository to ensure no hidden behavior. If any of these items are unacceptable or you cannot verify the service, do not install.src/api.ts:5
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Verification
- Tier
- source linked
- Scope
- artifact only
- Summary
- Validated package structure and linked the release to source metadata.
- Commit
- 55a95b6a15d9
- Tag
- 55a95b6a15d99694ec4c90188d18c6ae80aa57d1
- Provenance
- No
- Scan status
- pending
Tags
- api
- 1.0.0
- latest
- 1.0.0
- scraping
- 1.0.0
- 1.0.0
- vinted
- 1.0.0
- web-scraping
- 1.0.0