WebClip Save & Summarize Web Pages
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its web-clipping purpose, but its save function can write outside its cache when given a crafted filename.
Review this before installing if you plan to use the archive/save feature. The web fetching behavior is consistent with the skill's purpose, but custom filenames should be constrained to the cache directory to prevent accidental overwrites outside the archive.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user supplies an unsafe filename, the skill could save page content outside the intended archive folder and overwrite local files the process can write.
The optional filename is joined to the cache directory without sanitizing path traversal or verifying the resolved path remains inside the cache. A crafted filename such as '../outside.md' could overwrite arbitrary writable files.
const file = path.join(this.cacheDir, filename || slug + '.md'); fs.writeFileSync(file, clip.markdown);
Resolve the final path, require it to stay within the cache directory, reject '..' and absolute paths, and avoid overwriting existing files without explicit user confirmation.
A clipped page could include prompt-injection text that looks like instructions to the agent.
The skill intentionally feeds fetched web-page content into agent context. Web pages are untrusted and can contain text that attempts to instruct or mislead the agent.
| `.text` | Raw clean text for agent context |
Treat clipped content as quoted source material only, and do not let web-page text override the user's task or safety instructions.
Saved clips can preserve untrusted or sensitive page content on disk and may influence later agent work if reused without review.
The skill creates a local cache/archive directory and persists fetched page markdown. This is disclosed and purpose-aligned, but saved web content may later be reused as context.
this.cacheDir = options.cacheDir || './web-cache'; ... fs.writeFileSync(file, clip.markdown);
Store clips in a known project folder, review saved content before reusing it as agent context, and delete clips that contain sensitive or untrusted material.