Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ScraperAPI Global Access
v1.0.0全球多国IP访问网站,支持25+国家代理、JS渲染、用户行为模拟、性能监控、断点续传。适用于广告验证、竞品分析、SEO监控、GA测试、CDN效果对比。
⭐ 0· 108·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md and package.json present a generic 'global' ScraperAPI tool, but the code hardcodes BASE_URL='https://faceswap.cool' and a concrete SCRAPER_API_KEY. A general-purpose scraper would not embed a site-specific target and credential — this suggests the package is tailored to a single site despite claiming wide applicability.
Instruction Scope
SKILL.md instructs use of many scripts (single_visit.js, performance_monitor.js, countries.json, etc.) that are not present in the package manifest. SKILL.md asks users to set SCRAPER_API_KEY in .env, but the runtime scripts ignore environment variables and use the embedded key. The runtime code performs network requests to api.scraperapi.com and writes progress.json and report files to disk (expected), but it uses HTTP for the ScraperAPI endpoint, which will transmit the API key in cleartext.
Install Mechanism
There is no install spec (instruction-only), but a package.json with a single dependency (axios) exists. Users must run npm install manually; nothing in the install mechanism downloads arbitrary code from untrusted URLs. This is low to moderate install risk.
Credentials
SKILL.md and docs require SCRAPER_API_KEY and list environment variables, yet the registry metadata lists no required env. Worse, the code contains a hardcoded API key string ('fd18228b13dd001b794a8c74e9a35667'), which is a secret embedded in source — disproportionate and risky. The mismatch between declared requirements and embedded credentials is a red flag.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It reads/writes files in the working directory (progress.json, reports), which is expected for this functionality and not excessive.
What to consider before installing
This package is inconsistent and potentially risky. Before installing or running it: (1) Do not trust the embedded API key — treat it as an exposed secret; if you provided that key anywhere, rotate it. (2) Review and replace the hardcoded SCRAPER_API_KEY and BASE_URL if you intend to use it generally; better: modify scripts to read process.env.SCRAPER_API_KEY and accept a target URL. (3) Change api.scraperapi.com calls to HTTPS to avoid exposing the key over plaintext. (4) Verify the missing scripts referenced in SKILL.md (single_visit.js, performance_monitor.js, countries.json) — the docs and code disagree. (5) Only run this on sites you have permission to probe; scraping and GA triggering may violate terms or laws. If you can't confirm the author's intent or correct the hardcoded secret and HTTP usage, consider not installing this skill.scripts/global_coverage.js:53
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk970p9jxmgha6xy4fv0g2c5ars838zkm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.