ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Emily Web Fetch

Fetch static webpage content up to 5000 characters via HTTP/HTTPS GET for analysis, summarization, or information extraction.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 371 · 2 current installs · 2 all-time installs
by@emilyzhang01
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name, description, SKILL.md, and index.js all implement an HTTP/HTTPS GET fetcher with a 5000-character truncation. No unrelated environment variables, binaries, or install steps are requested. Minor inconsistency: registry metadata lists version 1.0.5 while package.json contains version 1.0.1.
!
Instruction Scope
SKILL.md states the tool will 'respect robots.txt', but the runtime code does not check robots.txt. The tool accepts arbitrary URLs with no host/ IP allowlist or explicit prohibition of private/network addresses, which enables server-side request forgery (SSRF) from the agent's environment. Redirects are not followed — the code returns a redirect message — which is coherent but should be documented. The implementation also uses a setTimeout for a 10s timeout but does not clear it on success, which can lead to spurious 'request timeout' rejections after a successful response.
Install Mechanism
No install spec; the skill is instruction-only plus a small included JS file that uses only built-in http/https modules. Nothing is downloaded from third-party hosts and no archives are extracted.
Credentials
The skill requests no environment variables or credentials, which is proportional to a stateless fetch tool. However, because it will make arbitrary network requests, it can be used to probe internal services or metadata endpoints accessible from the agent, so network access policies should be considered.
Persistence & Privilege
Default privileges (always: false, model invocation enabled). The skill does not request persistent or elevated platform privileges and does not modify other skills or system configuration.
What to consider before installing
This skill appears to do what it says (fetching static HTTP/HTTPS pages and truncating to 5000 chars), but there are a few issues to consider before installing: 1) The SKILL.md promises robots.txt compliance but the code does not implement it — if you require crawling policy enforcement, ask the author to add a robots check. 2) The tool will fetch any URL you give it; that enables SSRF-like access to internal network services or cloud metadata endpoints reachable from the agent. If this is sensitive in your environment, run the skill in a network-restricted sandbox or add an allowlist/blocklist for hosts/IP ranges. 3) The timeout logic can produce false 'request timeout' errors because the timer isn't cleared on success — this is a reliability bug. 4) Registry/package version mismatch (registry 1.0.5 vs package.json 1.0.1) is a minor integrity flag — consider asking the publisher for clarification. If you decide to use it, test in an isolated environment and request the maintainer to fix robots.txt handling, add host restrictions, and correct the timeout handling.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.5
Download zip
latestvk977fv9kpfnvevvnsdfb70nze982ffj9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Web Fetch Skill

Description

抓取指定URL的网页内容,返回文本摘要或原始HTML。用于获取新闻、公告、数据页面等。

Tools Provided

  • fetch(url) - 抓取网页,返回文本内容(最多5000字符)

Usage

助手调用此工具获取网页内容,然后进行分析、摘要或提取信息。

Examples

用户:抓取 https://www.cls.cn/telegraph 助手:调用 web-fetch:fetch(url),获取后返回内容并解读。

Limitations

  • 仅支持HTTP/HTTPS GET- 不处理JavaScript渲染的页面(静态HTML)
  • 内容长度限制为5000字符,避免过大响应
  • 需要目标网站允许爬取(遵守robots.txt)

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…