ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Opengraph Io

v1.4.0

Extract web data, capture screenshots, scrape content, and generate AI images via OpenGraph.io. Use when working with URLs (unfurling, previews, metadata), capturing webpage screenshots, scraping HTML content, asking questions about webpages, or generating images (diagrams, icons, social cards, QR codes). Triggers: 'get the OG tags', 'screenshot this page', 'scrape this URL', 'generate a diagram', 'create a social card', 'what does this page say about'.

6· 2.2k·2 current·2 all-time
by@primeobsession
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (unfurling, screenshots, scraping, image generation) align with the declared requirements (curl + OPENGRAPH_APP_ID) and the SKILL.md examples. No unrelated credentials, binaries, or unusual system paths are requested.
Instruction Scope
SKILL.md is explicit: use curl to call opengraph.io endpoints, create image-generation sessions, or use scrape/extract/screenshot/query endpoints. The instructions do show how to bypass geo-blocking or datacenter blocks via the service's proxy options (use_proxy/use_premium/auto_proxy) and how to integrate an optional MCP server. It does not instruct the agent to read unrelated local files or exfiltrate other secrets. However, it encourages placing OPENGRAPH_APP_ID into various client config files (Claude, VS Code, etc.), which increases where the key will be stored and thus its exposure—this is a usability trade-off rather than an incoherence.
Install Mechanism
The registry shows this is instruction-only with no bundled code, which is low risk. SKILL.md and the docs reference an optional npm MCP package (opengraph-io-mcp) to be installed via npx/npm. npx'ing an npm package runs external code at install/runtime — a normal pattern for helper tooling but a moderate supply-chain execution risk. Also there's a minor inconsistency: top-level registry metadata in the package summary claimed 'No install spec', yet SKILL.md metadata and docs include an optional npm install entry.
Credentials
Only one credential is required (OPENGRAPH_APP_ID), which is proportional to the service. The SKILL.md consistently uses app_id query parameters. The only concern is guidance that places the API key into multiple client config files (some user-editable or project-scoped), which may broaden where the secret resides — the key itself is justified, but follow best practices for secret storage.
Persistence & Privilege
The skill does not request permanent inclusion (always: false) nor claims elevated platform privileges. It recommends optional integration into other AI clients (MCP) by editing their configs; these are user-driven changes, not automatic. There's no instruction to modify other skills or system-wide agent settings autonomously.
Assessment
This skill appears to do what it says: call OpenGraph.io APIs using your OPENGRAPH_APP_ID and curl. Before installing or configuring: 1) Verify the OpenGraph.io service and dashboard URL are correct and that you trust the provider. 2) Keep your OPENGRAPH_APP_ID secret — prefer setting it as an environment variable rather than embedding it in project files or shared configs (.vscode, repo files). 3) If you run the optional MCP helper (npx opengraph-io-mcp), review that npm package/source first because npx will execute code from npm. 4) Be aware the service provides proxy options to access geo-restricted content; using proxies may have legal/terms-of-service implications for target sites — ensure you have the right to scrape those pages. 5) If you want minimal exposure, avoid adding the key to multiple client config files and instead rely on per-host environment variables or dedicated, revocable keys. Overall the skill is internally consistent and coherent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a173h26cczxb7kv85br7q2s80ew1a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔗 Clawdis
Binscurl
EnvOPENGRAPH_APP_ID
Primary envOPENGRAPH_APP_ID

Comments