ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Web Fetch Fallback

v1.0.0

Fetch web content using curl as a fallback when web_fetch is blocked due to private, internal, or special-use IP address restrictions.

0· 69·0 current·0 all-time
by@tiantian-douba

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tiantian-douba/web-fetch-fallback.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Web Fetch Fallback" (tiantian-douba/web-fetch-fallback) from ClawHub.
Skill page: https://clawhub.ai/tiantian-douba/web-fetch-fallback
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install web-fetch-fallback

ClawHub CLI

Package manager switcher

npx clawhub@latest install web-fetch-fallback
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's behavior (use curl to fetch web content when web_fetch blocks private/internal IPs) matches its name and description. One minor incoherence: the registry metadata lists no required binaries, yet the script and instructions rely on curl (and examples reference html2text). The skill should declare curl as a required binary.
!
Instruction Scope
The SKILL.md explicitly instructs the agent to bypass OpenClaw's IP-based security checks and run curl against internal/private addresses. While that is the stated purpose, it is high-risk because it enables accessing internal services and can facilitate SSRF or inadvertent data exposure if used on untrusted input. The instructions do not attempt to enforce domain whitelisting or automated URL validation beyond recommending best practices.
Install Mechanism
No install spec (instruction-only plus a simple reference shell script). Nothing is downloaded or installed by the skill itself, which is a low-risk install surface.
Credentials
The skill does not request environment variables or credentials. The script includes an example header for Authorization, but that is optional and user-supplied; no undeclared secrets or unrelated credentials are requested by the skill.
Persistence & Privilege
The skill does not request permanent presence (always is false) and does not modify other skills or system-wide settings. It runs only when invoked.
Assessment
This skill is coherent with its purpose but is explicitly designed to bypass platform IP restrictions — that is risky. Before installing or using it: 1) Ensure curl is available on the agent host (the metadata should declare curl as a required binary). 2) Restrict use to trusted, internal URLs and avoid passing untrusted user input directly into the fetch command to reduce SSRF/exfiltration risk. 3) Prefer running it only when explicitly invoked by a user (not autonomously), and consider adding domain whitelisting or additional URL validation. 4) Be cautious about sending Authorization headers or other secrets via this fallback; treat such uses as sensitive and audit their usage.

Like a lobster shell, security has layers — review code before you run it.

latestvk979zf2qww5252yzv0dey46j8d84xer5
69downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@tiantian-douba
latest
Download

Web Fetch Fallback

This skill provides a fallback mechanism for fetching web content when the standard web_fetch tool is blocked due to security restrictions on private/internal IP addresses.

When to Use

Use this skill when:

  • web_fetch returns an error like "Blocked: resolves to private/internal/special-use IP address"
  • You need to fetch content from URLs that resolve to internal network addresses
  • The target URL is legitimate but blocked by OpenClaw's IP restrictions

Fallback Method: curl

When web_fetch is blocked, use curl via the exec tool to fetch the content:

Basic Usage

curl -sL "<URL>"

With Timeout and Follow Redirects

curl -sL --max-time 30 --connect-timeout 10 "<URL>"

Fetching with Custom Headers

curl -sL -H "User-Agent: Mozilla/5.0" -H "Accept: text/html" "<URL>"

Saving to File

curl -sL -o /tmp/fetched_content.html "<URL>"

Example: Fetch and Process Content

# Fetch content and extract text using html2text or similar
curl -sL "https://example.com" | html2text -utf8

# Or save and read
curl -sL -o /tmp/page.html "https://example.com"
cat /tmp/page.html

Reference Script

See scripts/curl_fetch.sh for a reusable curl-based fetching script with error handling and common options.

Limitations and Security Considerations

Limitations

  1. No built-in content extraction: Unlike web_fetch, curl returns raw HTML. You may need to parse/extract content manually.
  2. No automatic formatting: web_fetch returns markdown; curl returns raw HTTP response.
  3. Manual error handling: You must check curl exit codes and handle errors explicitly.

Security Considerations

⚠️ Important: This fallback bypasses OpenClaw's IP-based security checks. Only use when:

  1. You trust the target URL and its content
  2. The URL is from a legitimate internal service (e.g., company intranet, local development server)
  3. You have confirmed the URL is safe to access

Never use this fallback for:

  • Unknown or untrusted URLs
  • URLs from untrusted user input without validation
  • External websites that should be accessible via web_fetch (if blocked, there may be a legitimate security reason)

Best Practices

  1. Always use timeouts (--max-time, --connect-timeout) to prevent hanging
  2. Use -s (silent) and -S (show errors) for cleaner output: curl -sSL ...
  3. Check exit codes: curl returns 0 on success, non-zero on failure
  4. Consider rate limiting for multiple requests
  5. Validate URLs before fetching (avoid SSRF vulnerabilities)

Common Exit Codes

Exit CodeMeaning
0Success
6Could not resolve host
7Failed to connect to host
28Operation timeout
35SSL/TLS handshake failed

Example Workflow

1. Try web_fetch first:
   web_fetch(url="http://internal.company.com/docs")

2. If blocked with "private/internal IP" error, use curl fallback:
   exec(command='curl -sL --max-time 30 "http://internal.company.com/docs"')

3. Process the raw HTML output as needed

Comments

Loading comments...