SwipeNode Web Extractor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This web extraction skill is transparent about what it does, but it needs review because it explicitly helps bypass Cloudflare/WAF blocking and overstates protection against prompt-injection content.
Install only if you are comfortable running a GitHub-built Go CLI. Use the extractor only on sites where automated access is allowed, avoid bypassing protections on high-security sites without clear authorization, and treat all extracted webpage content as untrusted text rather than safe instructions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this against sites that tried to block automation could violate terms of service, trigger IP/account bans, or create legal and operational risk.
The skill explicitly advertises bypassing anti-bot/WAF protections rather than only fetching ordinary public webpages.
🥷 **Bypasses Cloudflare & WAFs:** Native TLS-fingerprint spoofing.
Use only for sites you own, are authorized to access, or where automated extraction is permitted; require explicit user approval before using impersonation or bypass-style options.
A user or agent may over-trust extracted webpage content and fail to treat it as untrusted input.
Not executing JavaScript can reduce browser-exploit risk, but scraped HTML, JSON, and text can still contain prompt-injection instructions or misleading content.
🛡️ **Zero-JS Execution:** Immune to browser-based prompt injections.
Treat all extracted webpage content as untrusted data, ignore instructions embedded in webpages, and use it only to answer the user’s stated request.
If the upstream repository or tag changes or is compromised, the installed binary may differ from what was reviewed here.
Installation pulls and builds code from GitHub at install time using a version tag; the runnable source is not included in the provided artifacts.
go install github.com/sirToby99/swipenode@v1.6.4
Inspect the upstream repository before installing, prefer immutable commit or checksum pinning, and run the tool in a constrained environment if possible.