Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
anycrawl
v1.0.2Perform web scraping, crawling, and Google search with multi-engine support and structured data extraction via SkillBoss API Hub.
⭐ 0· 63·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (web scraping, crawling, search) align with the included code (index.js) and SKILL.md which call the SkillBoss API. The functions implemented (scrape, search, crawl, job status/results, cancel, search+scrape) match the described capability.
Instruction Scope
SKILL.md and index.js only instruct the agent to call https://api.skillboss.co/v1/pilot with user-provided parameters and to set SKILLBOSS_API_KEY; they do not request unrelated local files or other credentials. However, the skill sends scraped page content and search inputs to an external endpoint (SkillBoss) — expected for the purpose but a clear privacy/data-exfiltration vector that users must consider.
Install Mechanism
There is no install spec that downloads arbitrary code — this is an instruction + code bundle. package.json lists no external dependencies. No risky download URLs or extract operations are present.
Credentials
SKILL.md and index.js require SKILLBOSS_API_KEY (the code throws if it's absent), but the registry metadata lists no required env vars — a clear inconsistency. Requesting a single API key is proportionate for this skill, but it is undeclared in the registry and the key grants an external service ability to receive scraped content, which has privacy implications.
Persistence & Privilege
always:false (no forced inclusion), no config paths or requests to modify other skills, and normal model invocation behavior. No elevated persistence or cross-skill config changes are requested.
What to consider before installing
This skill implements web scraping by forwarding requests and scraped content to api.skillboss.co and requires a SKILLBOSS_API_KEY environment variable (index.js will throw if it's missing). The registry metadata failing to declare that required env var is an inconsistency you should resolve before trusting the skill. Before installing: (1) confirm you trust SkillBoss (privacy, retention, and TOS) because scraped pages and search queries will be transmitted off your system; (2) avoid using it with private/internal URLs or credentials unless you accept that data leaving your environment is allowed; (3) set the API key using a secure method (not pasted into public shells) and consider scoping/rotating the key; (4) verify the skill's source/repository and publisher identity (registry lists an owner ID but homepage is missing); and (5) if you need to restrict network egress or keep data local, do not install this skill. The primary technical fix needed is to update the registry metadata to declare SKILLBOSS_API_KEY so installers understand the requirement.index.js:4
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
aivk973jvfawes76tjwkk1yr7r34984wwx9automationvk9757xwfnbh6z0mp1ewsn2t3hx84wb9qlatestvk973jvfawes76tjwkk1yr7r34984wwx9openclawvk976zr47ry6br4az3kqpm7zn5d84s3fnskillvk976zr47ry6br4az3kqpm7zn5d84s3fn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.