ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

URL to PNG

v0.0.2

Convert URL to PNG suitable for mobile reading.

0· 1.2k·2 current·2 all-time
by@guoqiao

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for guoqiao/url2png.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "URL to PNG" (guoqiao/url2png) from ClawHub.
Skill page: https://clawhub.ai/guoqiao/url2png
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: uv
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install url2png

ClawHub CLI

Package manager switcher

npx clawhub@latest install url2png
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the included scripts: url2png.sh invokes 'uvx shot-scraper' to capture a long/mobile screenshot and save it (default ~/Pictures). Requiring the 'uv' binary is coherent because the scripts call 'uvx' (uv launcher).
Instruction Scope
SKILL.md instructs the agent to run url2png.sh, locate the generated PNG, and send it as a file. The scripts only fetch the provided URL and save a screenshot; they do not attempt to read unrelated files, environment variables, or external endpoints beyond the target webpage and the installation downloads.
Install Mechanism
There is no registry install spec, but install.sh uses 'uvx shot-scraper install --browser chromium' which will download shot-scraper and Chromium (Playwright runtime). This is expected for a screenshot tool but involves network downloads and installing a browser runtime (large binary). The download sources are not shown here (delegated to uv/shot-scraper); verify 'uv' and 'shot-scraper' are trusted and that you accept the browser download.
Credentials
No environment variables, credentials, or config paths are requested. The skill does not ask for unrelated secrets. The lack of credentials is proportionate to its stated purpose.
!
Persistence & Privilege
The skill is marked always:true (force-included in every agent run). That is unnecessary for a small URL->PNG utility and increases the blast radius if the skill or its dependencies are compromised. Autonomous invocation is normal, but always:true should be justified or removed.
Scan Findings in Context
[no-findings] expected: Static scan found no regex hits. That is consistent with these small, clear shell scripts and an instruction-only approach, but absence of findings is not definitive assurance.
What to consider before installing
This skill appears to do exactly what it claims: it runs shot-scraper (via the uv tool) to capture a mobile-formatted PNG of a given URL. Before installing or enabling it everywhere, consider: - Why is always:true set? That forces the skill to be included in every agent run; ask the maintainer to remove or justify this flag. - The installer will download and install shot-scraper and a Chromium runtime — expect a large download and verify you trust 'uv' and 'shot-scraper' (and their default download sources). If you operate in a restricted environment, block or review those downloads first. - The skill will load the target webpage (the user-supplied URL) in a browser; treat user-supplied URLs as untrusted content (could trigger remote requests, ads, trackers, or malicious pages). Limit who can provide URLs if that's a concern. - There are no credential requests and scripts don't read other files, which is good. But if you need stronger assurance, ask for the canonical upstream repository or author verification and request removal of always:true prior to enabling globally.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦞 Clawdis
OSmacOS · Linux
Binsuv
Long screenshotvk974exrj21bfqxh347hb0avtq580z8peLongshotvk974exrj21bfqxh347hb0avtq580z8peiPhonevk974exrj21bfqxh347hb0avtq580z8pelatestvk974exrj21bfqxh347hb0avtq580z8peplaywrightvk974exrj21bfqxh347hb0avtq580z8pescreenshotvk974exrj21bfqxh347hb0avtq580z8peshot-scrapervk974exrj21bfqxh347hb0avtq580z8peurl-to-pngvk974exrj21bfqxh347hb0avtq580z8peurl2pngvk974exrj21bfqxh347hb0avtq580z8pe
1.2kdownloads
0stars
2versions
Updated 6h ago
v0.0.2
MIT-0
macOS, Linux
@guoqiao
Long screenshotLongshotiPhonelatestplaywrightscreenshotshot-scraperurl-to-pngurl2png
Download

URL to PNG

Given a url for a webpage, convert it to png suitable for mobile view.

See examples

Requirements

  • uv

Installation

bash ${baseDir}/install.sh

The script will:

  • install shot-scraper as uv tool
  • install chromium browser module for shot-scraper/playwright

Usage

# save to ~/Pictures with proper name by default
bash url2png.sh <url>
# specify output png path
bash url2png.sh <url> path/to/png

Agent Instructions

  1. Execute the url2png.sh script.
  2. Locate the generated PNG file (default in ~/Pictures if not specified).
  3. Send the file to the user. Crucial: To avoid compression or dimension limits (especially on Telegram), send the image as a document/file (or ZIP it), do not send as a photo.

Comments

Loading comments...