ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Save All Resource

v1.0.0

打开一个可见浏览器,让用户手动浏览目标网站,并在浏览过程中持续监听同域原始响应内容,实时落盘到本地桌面目录。

0· 254·0 current·0 all-time
by@cnoder-wgh

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cnoder-wgh/save-all-resource.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Save All Resource" (cnoder-wgh/save-all-resource) from ClawHub.
Skill page: https://clawhub.ai/cnoder-wgh/save-all-resource
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install save-all-resource

ClawHub CLI

Package manager switcher

npx clawhub@latest install save-all-resource
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask to open a visible browser and persist same-origin responses. The included scripts use puppeteer, listen to page responses, filter by same-origin and http/https, and write files to a Desktop directory — all are coherent and proportionate.
Instruction Scope
SKILL.md instructs running node scripts/main.js <url>, which the code implements. The script persistently saves any same-origin responses the user triggers (HTML, JS, CSS, images, JSON, fonts, etc.). This behavior is expected, but note it will store any sensitive content the user navigates to (including authenticated pages) on the local Desktop.
Install Mechanism
There is no packaged installer; SKILL.md tells the user to run npm install in the scripts directory. That installs puppeteer and its dependencies from the npm registry (a typical, traceable registry install). Puppeteer will also download a browser binary during install which is a large network download — expected but notable.
Credentials
The skill requests no environment variables, credentials, or config paths. It does write files into the user's Desktop (os.homedir()/Desktop/<domain>), which is appropriate for the stated purpose but means local filesystem write access is required.
Persistence & Privilege
always:false and there is no installation script that modifies other skills or system-wide configs. The skill runs locally when invoked and exits when the tab closes or on SIGINT as described.
Assessment
This skill appears to do what it says: it opens a visible browser and saves same-origin HTTP/HTTPS responses to a folder on your Desktop. Before installing or running it, consider: (1) npm install will download puppeteer and many dependencies and will fetch a browser binary — expect a large network/download and inspect package-lock.json if you want to audit dependencies; (2) anything you navigate while the script runs (including pages behind logins) will be saved locally — avoid visiting sensitive accounts or use an isolated/sandbox environment or a throwaway profile; (3) the saved files live on your Desktop (check disk usage and privacy); (4) if you need stronger assurance, run this in a VM/container or review the puppeteer dependency tree for unexpected postinstall scripts. Overall the skill is internally consistent and contains no obvious remote exfiltration or unexplained credential requests.

Like a lobster shell, security has layers — review code before you run it.

latestvk974kmghcc1qgapnhj0va013758354bg
254downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
@cnoder-wgh
latest
Download

保存所有资源

当用户希望输入一个网址,打开浏览器后手动浏览页面,并把同域的原始响应内容持续保存到本地目录时,使用本技能。

输入

用户应提供一个入口 URL,例如:

  • https://www.google.com/

输出

脚本会在用户桌面创建一个以域名命名的文件夹,例如:

  • ~/Desktop/www.google.com

然后持续保存:

  • HTML 原始响应
  • JavaScript
  • CSS
  • JSON
  • 图片
  • 字体
  • 其他同域原始响应资源

执行流程

  1. 接收用户提供的入口 URL。
  2. 运行: node scripts/main.js <url>
  3. 脚本会打开一个可见浏览器页签。
  4. 用户在这个页签中手动点击和切换页面。
  5. 脚本持续监听同域的原始响应内容,并实时写入桌面目录。
  6. 当用户关闭该页签后,脚本自动退出。

规则

  • 默认只保存同域资源。
  • 只保存 http:https: 响应。
  • 默认跳过 blob:data:chrome-extension: 等特殊协议资源。
  • 主文档 HTML 使用 response.text() 保存,目标是尽量接近 DevTools Network 中看到的原始响应内容。
  • 不使用 page.content() 作为主页面保存方式,因此不会把运行后的 DOM 快照当成原始 HTML。
  • 如果页面是 SPA 路由切换且没有新的 document 响应,则不会生成新的 HTML 文件,但接口和其他资源响应仍会继续保存。
  • 如果用户关闭该页签,脚本必须自动退出,不要继续后台运行。

依赖

此技能脚本依赖 puppeteer。首次使用前需要在技能目录中安装依赖:

cd scripts
npm install

Comments

Loading comments...