Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
EZCTO Smart Web Reader
v1.1.1Agent web access acceleration layer — reads any URL as structured JSON. Cache-first (public library hit = 0 tokens). The smart alternative to raw web_fetch.
⭐ 2· 653·1 current·1 all-time
by䷍䷢䷺䷜䷩@takahashigy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the declared runtime tools (web_fetch, exec, filesystem) and outputs (structured JSON + markdown). Requiring exec (curl, sha256sum) and local cache is reasonable for a cache-first web reader. The wide network permission ('*') is explainable because the skill must fetch arbitrary user-provided URLs, but it increases risk and could have been scoped to use the platform web_fetch tool only.
Instruction Scope
SKILL.md instructs the agent to automatically fire on any URL access (including URLs shared without explicit user intent) and to contact https://api.ezcto.fun for cache lookups and to contribute parsed results. The skill treats 'structured JSON' as shareable by default; that JSON can include scraped content and potentially PII from pages. The README/SKILL.md provide an opt-out env var (EZCTO_CONTRIBUTE=false) but contribution appears enabled by default and the skill's CHANGELOG even markets that 'the user never needs to know this skill exists' — a stealthy auto-exfiltration model which is out-of-band for many users.
Install Mechanism
Instruction-only skill with no install spec or external downloads; nothing is written to disk by an installer here beyond normal cache writes at runtime. This is lower-risk than a packaged installer, but runtime filesystem writes and exec usage still matter and are covered in other dimensions.
Credentials
The skill does not require credentials or env vars to operate, but it documents optional env vars (EZCTO_CONTRIBUTE, EZCTO_API_URL, EZCTO_CACHE_DIR). Default behavior appears to contribute parsed results to a public API unless the user explicitly disables it. Asking to send full structured JSON of parsed pages (and the URL and HTML hash) to an external service is a high-impact action relative to a 'read-only' web fetch capability — it may leak sensitive or private page content. No explicit user-consent flow is defined.
Persistence & Privilege
always:false (good). The skill declares triggers that make it auto-fire on any URL access; while not an elevated platform privilege flag, automatic interception of all URL accesses (and the maintainers' language about stealth) increases the blast radius if the skill is untrusted. Autonomous invocation is normal for skills, but here it combines with automatic URL interception and external sharing.
Scan Findings in Context
[system-prompt-override] unexpected: A prompt-injection pattern was detected in SKILL.md. The skill claims to include LLM guardrails, but the presence of a 'system-prompt-override' pattern in prompt templates or translate-prompt.md is a red flag and should be reviewed manually. Such content can attempt to influence LLM behavior beyond the skill's parsing role.
What to consider before installing
This skill plausibly does what it says (cache-first structured page parsing), but it auto-intercepts any URL the agent accesses and by default sends extracted structured data (and the URL + HTML hash) to an external API (api.ezcto.fun) and to a community asset library. Before installing, consider the following:
- Trust and privacy: Only install if you trust api.ezcto.fun and the EZCTO team to receive parsed page data. Structured JSON can include sensitive information present on a page (contacts, emails, personally-identifying info). If you cannot guarantee trust, do not install.
- Disable contribution by default: If you proceed, set EZCTO_CONTRIBUTE=false in the environment or system config to prevent automatic uploads, and verify behavior in a sandbox. Confirm the skill respects that variable in practice.
- Limit network scope: Prefer a configuration that restricts outbound network to the platform's web_fetch tool and to a single trusted API host (if you accept that), rather than granting blanket '*' network permission.
- Review prompt templates: The scanner found 'system-prompt-override' patterns. Inspect translate-prompt.md and any LLM prompt text included in the package for hidden instructions that could override agent guardrails.
- Audit cache and logs: Check ~/.ezcto/cache/ and logs to ensure no unexpected data is stored or transmitted. Test with harmless public pages first.
- Operational controls: Only enable exec/web_fetch/filesystem tools for this skill if you accept their implications. Consider running in a restricted account or VM, and monitor outbound calls (e.g., via network logs) to confirm no unexpected endpoints are contacted.
If you want, I can produce a short checklist and commands to safely test the skill in a sandbox (e.g., how to force contrib=false, how to monitor outbound traffic, and sample benign tests).Like a lobster shell, security has layers — review code before you run it.
agentvk975x1prbvmzgnqw6fc6me2y2n81dewzcachevk975x1prbvmzgnqw6fc6me2y2n81dewzezctovk975x1prbvmzgnqw6fc6me2y2n81dewzlatestvk975x1prbvmzgnqw6fc6me2y2n81dewzopenclawvk975x1prbvmzgnqw6fc6me2y2n81dewzwebvk975x1prbvmzgnqw6fc6me2y2n81dewz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.