ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Scrapeless Webunlocker Skill

v1.0.0

Bypass website blocks and scrape web content using Scrapeless Universal Scraping API.

0· 88·0 current·0 all-time
byscrapeless@scrapelesshq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description, SKILL.md, README, and script are coherent: it calls the Scrapeless Universal Scraping API and needs an API token. However the registry metadata reported at the top lists no required env vars while SKILL.md and scripts require X_API_TOKEN, an inconsistency that should be resolved.
Instruction Scope
Runtime instructions and the script are scoped to building a payload and POSTing it to https://api.scrapeless.com/api/v2/unlocker/request. This means any URL, custom headers, POST data, or selectors you provide will be transmitted to the external Scrapeless service (and billed). That behavior matches the stated purpose but has privacy/billing implications that users must consider.
Install Mechanism
No install spec in the registry (instruction-only with packaged Python script). requirements.txt lists only 'requests' and 'python-dotenv' — no suspicious download/install URLs or archive extractions were present.
Credentials
Requesting a single API credential (X_API_TOKEN) is proportional to the described functionality. The inconsistency between registry metadata (no env vars) and SKILL.md/script (requires X_API_TOKEN) is the main concern. The skill reads .env (repo root) which is normal but means tokens in that file will be used and potentially transmitted to the external API.
Persistence & Privilege
The skill is not marked 'always: true' and does not request special persistent privileges. It does not modify other skills or system settings based on the provided files.
What to consider before installing
Before installing: - Confirm the skill's source and that scrapeless.com is the intended provider (repository source was 'unknown'). - Expect that every target URL, headers, and request body you give will be sent to Scrapeless and could be stored or billed — do not send sensitive private URLs or credentials. - Provide a dedicated, limited-scope API token (not reuse high-privilege secrets) and keep it out of public repos (.env should not be committed). - Resolve the metadata inconsistency: the registry should declare X_API_TOKEN as required (SKILL.md already does). - If you care about data locality/privacy, review Scrapeless's privacy/billing policies and TLS endpoint (api.scrapeless.com) and consider testing with non-sensitive targets first. - If uncertain about provenance, run the script in an isolated environment or review the full code (the main network call is a single POST to api.scrapeless.com) before granting the token.

Like a lobster shell, security has layers — review code before you run it.

latestvk974d22vrk4da7azywkskgbs4h8371mf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments