Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Scrapling Fetch Pro
v1.2.0专业网页抓取工具,完整支持微信公众号文章爬取、自动模式检测、噪音清理。适合抓取博客、新闻、公告及各类有反爬保护的网站。
⭐ 0· 94·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description claim a professional scraper with WeChat and anti-bot bypass features; the included script implements selector-based scraping, WeChat noise removal, basic/stealth modes and Markdown output, which is coherent with the stated purpose. However the README claims automatic Cloudflare Turnstile bypass and other advanced anti-bot techniques while the script delegates stealth behavior to an external StealthyFetcher (scrapling.fetchers) — the bypass behavior is not visible in the shipped code. Also metadata files and the script show inconsistent version numbers (SKILL.md says 1.2.0, _meta.json and script header show 1.1.0), and source/homepage are unknown.
Instruction Scope
SKILL.md and references instruct running the included Python script and describe modes/flags; they do not direct the agent to read unrelated files, exfiltrate environment variables, or call unrelated external endpoints. The runtime instructions are narrowly scoped to scraping tasks. Note: they refer to Sessions and Cloudflare bypass in prose but do not include concrete config or credential usage in the included files.
Install Mechanism
There is no install spec (instruction-only + code file). That is lowest-install risk, but the script depends on several heavy packages (playwright, patchright, scrapling, html2text, beautifulsoup4, lxml). Playwright in particular typically downloads browser binaries at runtime which has additional network/file implications. Because there is no provided install or provenance, it's unclear how those dependencies should be installed or whether the 'scrapling' package (and its StealthyFetcher) is trustworthy.
Credentials
The skill declares no required environment variables, credentials, or config paths and the code does not read env vars. That is proportionate to the stated purpose. Note that stealth scraping may require cookies/sessions for logged-in pages (the docs mention Sessions) but no session-handling credentials are requested by the skill as packaged.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system modifications. It is user-invocable and can be called autonomously by the agent (default behavior), which is normal. No code attempts to modify other skills or global agent settings.
What to consider before installing
Things to consider before installing/using this skill:
- Provenance: the package has no homepage and an unknown source/owner. Prefer code from known sources.
- Version/metadata mismatch: SKILL.md claims v1.2.0 while _meta.json and the script header show v1.1.0 — this could indicate sloppy packaging or partial updates.
- Promised "Cloudflare Turnstile" bypass is not implemented in the visible code; stealth behavior is delegated to scrapling.fetchers.StealthyFetcher. Inspect that external library before trusting the bypass claim.
- Dependencies: Playwright will download browser binaries at runtime and executes page JavaScript (normal for stealth scraping). Run in a sandboxed environment and be aware of large network/download side-effects.
- Legal/ethical risk: scraping WeChat and sites protected by anti-bot measures may violate terms of service or local law. Ensure you have the right to scrape target sites.
- Recommended actions: review the scrapling package (scrapling.fetchers) source, verify the StealthyFetcher implementation, run the tool in an isolated environment (container/VM), and only provide it access to target URLs you control or are permitted to scrape.Like a lobster shell, security has layers — review code before you run it.
latestvk977fy40k3anv85g8wb5svmyzs83xggd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.