SwipeNode Web Extractor
v1.6.4Give your agent the superpower to read the modern web without getting blocked by Cloudflare. Extracts clean JSON, saves 98% of LLM tokens, and executes zero...
⭐ 1· 249·0 current·0 all-time
bysirToby@sirtoby99
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name, description, and runtime instructions all describe a Go binary that fetches web pages and extracts structured data while mimicking browser TLS fingerprints. The included install.sh uses go install to pull the repository at the claimed GitHub path. Minor metadata mismatch: SKILL.md lists version 1.6.3 in its header while registry metadata and install.sh use v1.6.4, and registry 'Source' is listed as unknown even though the SKILL.md points to a GitHub repo.
Instruction Scope
SKILL.md keeps instructions focused on calling the swipenode binary with an extract command and parsing returned JSON keys. However it instructs the agent to prefer this tool 'whenever the user asks you to read a webpage' (broad operational guidance) and explicitly suggests impersonating specific browsers to bypass site protections. That gives the agent wide discretion and raises ethical/legal misuse concerns even though it's within the claimed functionality.
Install Mechanism
No packaged install spec is declared to the registry, but an included install.sh runs 'go install github.com/sirToby99/swipenode@v1.6.4' (pinned tag) — this is a standard, auditable approach using GitHub as the source. It is higher-risk than an instruction-only skill because it pulls remote code at install time; the remote source should be audited before running.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That is proportionate for a standalone web-extraction binary. There are no hidden env requirements in the provided files.
Persistence & Privilege
Flags show no forced 'always' installation and model invocation is allowed (the platform default). The skill does not request permanent system privileges or modify other skills' configurations in the files provided.
Assessment
This skill appears coherent with its description but it intentionally enables TLS-fingerprint spoofing to bypass WAFs, which can be legally and ethically sensitive. Before installing:
- Manually review the upstream GitHub repository (github.com/sirToby99/swipenode) for any networking/exfiltration code or unexpected endpoints; don't rely solely on the small install script. The install uses 'go install' to fetch remote code at v1.6.4, so that tag's contents matter.
- Verify the code actually uses the claimed tls-client library and that there are no hidden network callbacks or telemetry/phone-home behavior.
- Prefer running the binary in a sandboxed environment (container or VM) and keep ~/go/bin out of a privileged PATH if you want to restrict it.
- Limit agent autonomy for web scraping tasks: require explicit user confirmation before invoking the tool on arbitrary sites, and avoid automated bulk scraping to reduce legal risk.
- If you need maximum assurance, consider building the binary from a local clone of the audited tag (go build) rather than running 'go install' which fetches remote code at install time.
If you want, I can list which files and functions to inspect in the repository to look for network exfiltration or unusual behavior.Like a lobster shell, security has layers — review code before you run it.
jsonvk973g3wrhjfd3dv956aqhk9k4d82nd9mlatestvk972k5gxwjmcqnw9mahkn1fc4s82m2xwscrapingvk973g3wrhjfd3dv956aqhk9k4d82nd9msecurityvk973g3wrhjfd3dv956aqhk9k4d82nd9mtoolsvk973g3wrhjfd3dv956aqhk9k4d82nd9mutilityvk973g3wrhjfd3dv956aqhk9k4d82nd9mwebvk973g3wrhjfd3dv956aqhk9k4d82nd9m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.