ClawHub

Fetch Url

v1.0.0

Fetch raw HTTP response bodies from one or more URLs with optional custom headers and timeout, supporting JSON, XML, RSS, CSV, plain text, and files.

0· 96·3 current·3 all-time
by长安@roaycl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the included script: the skill fetches raw HTTP responses for one or more URLs with optional per-URL headers and timeout. Minor mismatch: SKILL.md metadata declares 'node' as a required binary, but the registry metadata lists no required binaries; package.json declares a dependency (user-agents) so Node.js and dependencies are required at runtime.
Instruction Scope
SKILL.md instructs the agent to run the included Node script which only performs network fetches and prints results. The instructions and script do not read environment variables or local files. However, the skill will fetch arbitrary URLs provided by the caller — that means it can access internal endpoints (localhost/169.254.169.254, internal APIs) and return their contents. This is expected for a fetch tool but is a privacy/SSRF risk if untrusted inputs are allowed.
Install Mechanism
There is no install spec (instruction-only), which is low risk, but the package.json/package-lock indicate an npm dependency (user-agents). No install step is provided to install node_modules; the runtime therefore requires Node.js 18+ and that dependencies be available in the environment. This operational gap (no declared required binary in registry, no install step) may cause runtime failures or lead integrators to install dependencies manually.
Credentials
The skill requests no environment variables, no credentials, and does not access config paths. That is proportionate to its purpose.
Persistence & Privilege
always is false and the skill does not request persistent system or agent-wide modifications. It does not modify other skills or system configuration.
Assessment
This skill appears to do what it says (fetch HTTP responses). Before installing: ensure the runtime provides Node.js 18+ and that the dependency (user-agents) is installed or vendored, because there is no install step included; verify the registry metadata correctly lists 'node' as a required binary. Most importantly, treat input URLs as sensitive: the skill will fetch arbitrary targets you pass it — avoid giving untrusted inputs that could point to internal services (localhost, cloud metadata endpoints such as 169.254.169.254) or file:// URLs. If you plan to enable autonomous invocation, consider restricting which hosts/paths the skill is allowed to fetch or requiring user confirmation for remote URLs to reduce SSRF/data-exfiltration risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cq7v26a6zyvq71x3hb9xtdd83h1gg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments