ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

High-Value Extractors

v1.0.0

Extract structured data from product pages, job listings, and company pages. Plus generate working AI endpoints from schemas. LLM-powered extraction micro-se...

0· 85·0 current·0 all-time
by@renoblabs

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for renoblabs/high-value-extractors.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "High-Value Extractors" (renoblabs/high-value-extractors) from ClawHub.
Skill page: https://clawhub.ai/renoblabs/high-value-extractors
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install high-value-extractors

ClawHub CLI

Package manager switcher

npx clawhub@latest install high-value-extractors
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes paid HTTP endpoints (/x402s/...) that perform scraping and generate working FastAPI code. Yet the skill declares no API base URL, authentication, payment mechanism, or required credentials. A legitimate provider would need a network host, payment/crypto credentials or payment gateway integration, and possibly scraping credentials for protected sites — none are declared.
!
Instruction Scope
The instructions direct the agent to submit user-provided URLs (including linkedin.com and amazon.com) to remote extraction endpoints and to receive structured data or code in response. That means user content/URLs would be transmitted to an external service; the doc does not state where the endpoints live, what data is shared, or how authentication/consent/payment are handled. Scraping protected sites (LinkedIn, Amazon) is mentioned but no guidance is given on credentials or legal limits.
Install Mechanism
No install spec and no code files are present; this is instruction-only, so nothing will be written to disk during installation. That minimizes supply-chain risk from install artifacts.
!
Credentials
The skill indicates a paid x402/USDC-on-Base protocol but requests no environment variables or credentials. In practice, payment on Base (or using a crypto wallet) and model execution (the returned example uses 'claude-sonnet-4-6') would require API keys or wallet signing capabilities. The absence of any declared credentials is inconsistent and unexplained.
Persistence & Privilege
always is false and there is no indication the skill modifies agent config or requests persistent privileges. It does not request elevated agent-wide permissions in the manifest.
Scan Findings in Context
[no-findings] expected: The registry scanner found no code to analyze because this is an instruction-only skill (SKILL.md only). Absence of findings is expected but does not imply the skill is safe.
What to consider before installing
This skill is missing crucial details about where requests will be sent and how payments/authentication are handled. Before installing or using it, ask the provider for: (1) the full API base URL(s) and TLS/host identity, (2) how USDC payments on Base are authorized (wallet address, signature flow, or payment gateway) and whether any private keys are needed, (3) what credentials (API keys, scraping logins) are required for sites like LinkedIn or Amazon, (4) a privacy policy describing what data (URLs, page content) will be stored or logged by the service, and (5) legal/terms clarifying scraping of third-party sites. Do not send sensitive URLs, login-protected links, or any credentials to this skill until these questions are answered. If the author cannot provide clear operational and security details, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk974t7epye7yvy37pte3ny1v4984mw96
85downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@renoblabs
latest
Download

High-Value Extractors

Four LLM-powered extraction services for structured data.

Services

/extract-product — Product Page to Data

E-commerce URL to structured product data.

POST /x402s/extract-product
Body: {"url": "https://amazon.com/dp/..."}
Response: {"product": {"name": "...", "price": "$29.99", "brand": "...", "specs": {...}}}
Price: $0.02 USDC

/extract-job — Job Listing to Data

Job listing URL to structured data.

POST /x402s/extract-job
Body: {"url": "https://linkedin.com/jobs/..."}
Response: {"job": {"title": "...", "company": "...", "salary": "...", "requirements": [...]}}
Price: $0.02 USDC

/extract-contact — Company Intel

Company page to contact/company intelligence.

POST /x402s/extract-contact
Body: {"url": "https://company.com/about"}
Response: {"company": {"name": "...", "industry": "..."}, "emails": [...], "phones": [...]}
Price: $0.02 USDC

/create-endpoint — Schema to Working Endpoint

Describe what you want, get working FastAPI code back.

POST /x402s/create-endpoint
Body: {"name": "sentiment", "description": "Analyze text sentiment", "input_schema": {...}, "output_schema": {...}}
Response: {"code": "async def sentiment(request):\n  ...", "model": "claude-sonnet-4-6"}
Price: $0.10 USDC

Payment

x402 protocol — USDC on Base.

Comments

Loading comments...