ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

url-shortener-mobile

v1.0.3

Guide for shortening any URL via public web services. Use whenever the user asks to shorten, abbreviate, or create a shareable link from a long URL. This ski...

0· 70·0 current·0 all-time
byTae-Min Choi@tmiu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tmiu/url-shortener-mobile.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "url-shortener-mobile" (tmiu/url-shortener-mobile) from ClawHub.
Skill page: https://clawhub.ai/tmiu/url-shortener-mobile
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install url-shortener-mobile

ClawHub CLI

Package manager switcher

npx clawhub@latest install url-shortener-mobile
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (shortening URLs via public services) match the SKILL.md. The skill is instruction-only and requests no binaries, env vars, or installs — nothing unrelated to URL shortening is required.
!
Instruction Scope
Instructions directly call external shortener APIs (da.gd, cleanuri, tinyurl) via the existing http_fetch tool — expected for this purpose — but the SKILL.md includes an explicit note about using http_fetch because it 'bypasses the anti-bot filters that block the on-device QuickJS fetch.' That wording encourages evasion of anti-bot mechanisms and is a procedural red flag. Additionally, the instructions will send the original (possibly sensitive) URL to third-party servers; the guide does not require asking user consent or warning about privacy implications.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is the lowest-risk install posture — nothing will be written to disk by the skill itself.
Credentials
The skill requests no environment variables, credentials, or config paths. There is no disproportionate credential access.
Persistence & Privilege
always:false and user-invocable:true (defaults) — the skill does not request permanent inclusion or elevated platform privileges.
What to consider before installing
This skill appears to do what it says (call public shortener APIs and return the short link) and it doesn't request credentials or install code, but you should consider: 1) Privacy: the original URL is transmitted to third-party services (da.gd, cleanuri, tinyurl). Do not shorten URLs that contain private tokens, PII, or sensitive query strings unless you're OK sharing them with those services. 2) Evasion note: the SKILL.md explicitly tells the agent to use http_fetch because it 'bypasses anti-bot filters' — that indicates intent to circumvent protections and is a red flag; confirm you trust the http_fetch tool and the policy implications of bypassing on-device network controls. 3) Behavior: the skill will perform network calls whenever invoked; if you need stricter auditing or user consent prompts before external requests, modify the instructions to require explicit user approval. If you want a cleaner risk profile, prefer a shortener that you control (self-hosted) or add a visible warning to users before performing the shortening.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔗 Clawdis
latestvk97cn1kxqhmrswsa3b9n0zn0hn84w2e6
70downloads
0stars
4versions
Updated 1w ago
v1.0.3
MIT-0
Tae-Min Choi@tmiu
latest
Download

URL Shortener (guide)

This skill is instructions-only. It does not run any code on the device. When the user asks to shorten a URL, the agent should use the existing http_fetch tool to call one of the public shortener APIs below and then return the response body as the short URL.

Preferred backend: da.gd

GET https://da.gd/s?url=<URL-encoded original URL>

Exactly one call. Response body is the short URL as plain text (no JSON).

Agent procedure

  1. Extract the original URL from the user's message.
    • It must start with http:// or https://. If not, ask the user to provide one.
  2. URL-encode the original URL (apply encodeURIComponent to it).
  3. Call http_fetch with these parameters:
    • url: https://da.gd/s?url=<encoded original>
    • method: GET
  4. Take the raw response body, strip surrounding whitespace, and verify it starts with https://da.gd/. If so, return that as the short URL.
  5. If the body doesn't match, or the status is not 2xx, fall back to one of the alternate backends below.

Example

Original:

https://github.com/anthropics/claude-code/tree/main/docs/very/long/path

Encoded:

https%3A%2F%2Fgithub.com%2Fanthropics%2Fclaude-code%2Ftree%2Fmain%2Fdocs%2Fvery%2Flong%2Fpath

Fetch:

http_fetch({ url: "https://da.gd/s?url=https%3A%2F%2Fgithub.com%2Fanthropics%2Fclaude-code%2Ftree%2Fmain%2Fdocs%2Fvery%2Flong%2Fpath", method: "GET" })

Expected response body: https://da.gd/XXXXXX

Fallback 1: cleanuri.com

POST https://cleanuri.com/api/v1/shorten

  • method: POST
  • content_type: application/x-www-form-urlencoded
  • body: url=<URL-encoded original URL>

Response is JSON: {"result_url": "https://cleanuri.com/XXXXXX"}. Parse and return result_url.

Fallback 2: tinyurl.com (unreliable)

GET https://tinyurl.com/api-create.php?url=<URL-encoded original URL>

Response body is plain text like https://tinyurl.com/XXXXXX. Some clients get bot-detected and receive a "deprecated preview" placeholder — if the response body lies outside the https://tinyurl.com/ domain or redirects to tinyurl.com/preview/deprecated, treat it as a failure and move on.

Notes for the agent

  • Always verify the final short URL's domain matches the backend's own domain before returning it.
  • If all three backends fail, tell the user honestly — do not fabricate a short URL.
  • The user cares about reaching the original URL through the short link. Do not silently substitute a different destination.

Comments

Loading comments...