ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Webfetch Md

v1.1.0

Fetch any webpage and convert its main content into clean Markdown format, preserving image links and resolving relative URLs.

0· 1.1k·6 current·6 all-time
by@shijianwen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (fetch webpage → Markdown) matches the code and SKILL.md. index.js implements HTML fetching, content extraction, URL resolution, and turndown conversion; package.json lists cheerio and turndown as dependencies and node is required. The included CLI and OpenClaw tool wrappers call the same core function, which is coherent.
Instruction Scope
SKILL.md instructs the agent to run the CLI/tool with a URL and the code only fetches and processes the provided URL; it does not read local files or environment secrets. However, because the skill will fetch arbitrary URLs provided at runtime, it can reach internal network endpoints or external sites — this is expected for the stated purpose but carries the usual SSRF / internal-network-access risk if run in a privileged network context.
Install Mechanism
There is no remote install script or unusual download URL. This is an instruction-and-code bundle relying on Node and standard npm packages (cheerio, turndown). package-lock.json points to packages on the npm registry (registry.npmjs.org), not personal servers or shortened URLs, so the install footprint is conventional.
Credentials
The skill requests no environment variables, credentials, or config paths. All required runtime inputs are provided as URL parameters, which is proportionate to the stated functionality.
Persistence & Privilege
The skill is not marked always:true and does not attempt to modify other skills or system-wide configuration. It performs no autonomous privilege-escalating actions in the provided code.
Assessment
This skill appears to do exactly what it says: fetch a provided URL and convert the main content to Markdown using cheerio and turndown. Before installing or enabling it for autonomous agents, consider: (1) runtime Node version — cheerio notes Node >= 20.18.1 in package metadata, so ensure compatibility; (2) network risk — the skill can fetch any URL you pass it, so do not let untrusted prompts cause the agent to fetch internal URLs or sensitive endpoints (SSRF/internal network exposure); (3) dependency hygiene — the package uses standard npm dependencies from the public registry; you may want to run npm audit or review package-lock.json if you require higher assurance; (4) run tests locally first (node test.js <url>) to verify behavior and output; (5) if you plan to allow autonomous invocation, restrict or validate URLs the agent may fetch to avoid unintended access to internal services or confidential endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk976t4cpq8z0zevpvhdh0j7avn815v4e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments