Webfetch Md
PassAudited by ClawScan on May 1, 2026.
Overview
This skill coherently fetches a user-supplied webpage and converts it to Markdown, with the main cautions being untrusted webpage content, broad URL fetching, and minor packaging metadata inconsistencies.
This appears safe to install for webpage-to-Markdown conversion. Before using it, remember that fetched page text may contain prompt-injection-like instructions, and only provide URLs you actually want the agent to retrieve. If provenance matters, verify the package/version because the included lockfile metadata is inconsistent.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or misleading webpage could include text that tries to steer the agent if the agent treats fetched content as instructions instead of data.
The tool converts fetched webpage content directly into Markdown that may be read by the agent; webpage text is untrusted and could contain instructions aimed at influencing the agent.
const markdown = turndownService.turndown($content.html());
Treat returned Markdown as untrusted webpage content. Ask for user confirmation before following instructions or taking actions based on fetched pages.
If given an unintended internal, local, or sensitive URL, the tool may fetch and return content from that location.
The supplied URL is fetched directly without an allowlist. This is central to the webpage-fetching purpose, but it means the tool can attempt to retrieve any URL the user or agent provides.
const response = await fetch(url, {Use explicit, user-approved http(s) URLs and avoid localhost, private network, or administrative URLs unless that access is intentional.
Version/provenance inconsistencies can make it harder to verify exactly which package release and dependency set are being reviewed or installed.
The lockfile root name/version differs from the declared package name/version shown elsewhere for webfetch-md 1.1.0, suggesting stale or inconsistent packaging metadata.
"name": "html2md", "version": "1.0.0"
Prefer the reviewed bundled files, and the publisher should refresh the lockfile and metadata so package identity and version are consistent.