ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Website ScreenshotOne (by ScreenshotOne)

v1.0.0

Use this skill when you need to take website screenshots with ScreenshotOne using direct curl commands, save the result to a local file, or choose Screenshot...

0· 113·0 current·0 all-time
byDmytro Krasun@krasun

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for krasun/screenshotone-website-screenshot.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Website ScreenshotOne (by ScreenshotOne)" (krasun/screenshotone-website-screenshot) from ClawHub.
Skill page: https://clawhub.ai/krasun/screenshotone-website-screenshot
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install screenshotone-website-screenshot

ClawHub CLI

Package manager switcher

npx clawhub@latest install screenshotone-website-screenshot
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the SKILL.md consistently describe taking screenshots via ScreenshotOne and show the exact curl commands needed — that purpose matches the instructions. However, the registry metadata claims no required environment variables while the runtime instructions explicitly require SCREENSHOTONE_ACCESS_KEY, which is an inconsistency.
Instruction Scope
Instructions are narrowly focused on building curl requests to api.screenshotone.com and saving results locally. They also document options like metadata_content, scripts, and storage: these are legitimate ScreenshotOne features but can return page contents or upload results to configured storage if a user enables them. The SKILL.md recommends passing the access_key in a query parameter; note that sending credentials in URLs can leak via logs or referer headers.
Install Mechanism
There is no install spec and no code files — this is instruction-only, which minimizes installation risk. Nothing is downloaded or written by the skill itself.
!
Credentials
The skill's instructions require SCREENSHOTONE_ACCESS_KEY, but the registry lists no required env vars or primary credential. That mismatch is a material omission. Beyond the access_key, no other credentials are requested in instructions; however, several request parameters (storage_endpoint, proxy, authorization, metadata options) can be used to move or disclose captured content, so the single access key should be treated as sensitive.
Persistence & Privilege
always:false (default) — the skill does not request permanent inclusion. The included agents/openai.yaml sets allow_implicit_invocation: true, which permits the agent to call this skill implicitly when eligible; that is normal but worth noting because it allows the agent to invoke screenshot captures without an explicit user command if policy allows it.
What to consider before installing
This skill appears to do what it says (build curl calls to ScreenshotOne), but there are a few practical risks and inconsistencies to weigh before installing: - The SKILL.md requires SCREENSHOTONE_ACCESS_KEY but the registry metadata does not declare any required env vars — confirm the skill owner and update metadata or refuse installation until the required credential is declared. - The examples pass the access_key as a query parameter. Query parameters (and generated URLs) can be logged or appear in Referer headers; prefer using a secure header-based flow or at least be aware of leakage risk when using sensitive URLs or shared environments. - The documented options include metadata_content and storage_* settings. If you enable metadata_content=true, the API can return page content (potentially sensitive). If you set storage_endpoint/storage_bucket, screenshots could be uploaded to arbitrary storage — ensure you control the destination. - Because this is an instruction-only skill with allow_implicit_invocation enabled, an agent could call it automatically when relevant. If you are concerned about automatic captures of sensitive URLs, disable implicit invocation or only use the skill in sessions where you explicitly permit it. What to do before installing: verify the skill owner (the registry owner id), insist the registry metadata be corrected to list SCREENSHOTONE_ACCESS_KEY as a required credential, and avoid using the skill with pages that contain sensitive data unless you control the ScreenshotOne account and any storage destinations. If you need more assurance, ask the publisher to change examples to use header-based auth or POST body auth to reduce URL leakage.

Like a lobster shell, security has layers — review code before you run it.

latestvk972bag1h8wx1gbxme16qwawgx84h1dd
113downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Dmytro Krasun@krasun
latest
Download

ScreenshotOne Website Screenshot

Overview

Use this skill to capture website screenshots through ScreenshotOne's HTTP API with curl.

Prefer direct curl --get --data-urlencode requests so the command is visible, easy to tweak, and easy to copy into GitHub examples.

Quick Start

Get your API key first:

  1. Go to https://screenshotone.com/.
  2. Sign up.
  3. Visit https://dash.screenshotone.com/access.
  4. Copy your access_key.

Set your API key first:

export SCREENSHOTONE_ACCESS_KEY="your_access_key"

Take a basic screenshot:

curl --fail --silent --show-error --location --get \
  --output "example.png" \
  --data-urlencode "url=https://example.com" \
  --data-urlencode "access_key=${SCREENSHOTONE_ACCESS_KEY}" \
  --data-urlencode "format=png" \
  "https://api.screenshotone.com/take"

Take a full-page screenshot with a larger viewport:

curl --fail --silent --show-error --location --get \
  --output "example-full-page.png" \
  --data-urlencode "url=https://example.com" \
  --data-urlencode "access_key=${SCREENSHOTONE_ACCESS_KEY}" \
  --data-urlencode "format=png" \
  --data-urlencode "full_page=true" \
  --data-urlencode "viewport_width=1440" \
  --data-urlencode "viewport_height=2200" \
  "https://api.screenshotone.com/take"

Wait for content and hide UI noise before capture:

curl --fail --silent --show-error --location --get \
  --output "example-clean.png" \
  --data-urlencode "url=https://example.com" \
  --data-urlencode "access_key=${SCREENSHOTONE_ACCESS_KEY}" \
  --data-urlencode "format=png" \
  --data-urlencode "wait_until=networkidle" \
  --data-urlencode "delay=2" \
  --data-urlencode "block_cookie_banners=true" \
  --data-urlencode "hide_selectors=.chat-widget,.newsletter-modal" \
  "https://api.screenshotone.com/take"

Workflow

  1. Pick the target URL, output file, and format.
  2. Pass credentials through SCREENSHOTONE_ACCESS_KEY.
  3. Build the request with curl --get and repeated --data-urlencode "key=value" flags.
  4. When choosing options, read references/screenshotone-options.md first.
  5. Use only the access key flow in this skill. Do not add signed-request or secret-key handling.

Command Template

Use this pattern for most requests:

curl --fail --silent --show-error --location --get \
  --output "<output-file>" \
  --data-urlencode "url=<target-url>" \
  --data-urlencode "access_key=${SCREENSHOTONE_ACCESS_KEY}" \
  --data-urlencode "format=png" \
  --data-urlencode "<option>=<value>" \
  "https://api.screenshotone.com/take"

Option Selection

Use these groups first:

  • Page size and coverage: full_page, viewport_width, viewport_height, selector
  • Stability and timing: wait_until, delay, timeout, wait_for_selector
  • Cleanup: block_cookie_banners, block_ads, hide_selectors, styles
  • Output shaping: format, image_quality, image_width, image_height, omit_background
  • Request context: cookies, headers, authorization, proxy, user_agent

If a request needs less common parameters, look them up in references/screenshotone-options.md, then add them as another --data-urlencode "key=value" flag.

Resources

Comments

Loading comments...