GrabGrab
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run curl and create media files in the current directory or a user-specified path.
The skill relies on local shell commands and writes downloaded files using values from the user and API response. This is expected for the downloader purpose, but users should be aware it performs local command-driven downloads.
Use `curl` via the Bash tool to call the API ... Action: Download the file using `curl -L -o <filename> "<url>"`.
Use it only for URLs you intend to download, confirm the save location, and avoid overwriting important files.
Users have limited registry-level provenance information and may need curl/python3 available even though requirements do not declare them.
The registry metadata does not declare a source homepage or the local tools the instructions depend on, although the skill is instruction-only and the tool use is visible in SKILL.md.
Source: unknown; Homepage: none; Required binaries (all must exist): none; No install spec — this is an instruction-only skill.
Review the GrabGrab service URL and ensure required local tools are available before using the skill.
GrabGrab may receive the media URL being downloaded, which could reveal private or sensitive links if the user provides them.
The workflow sends the user-provided media URL to GrabGrab's external API, and the proxy fallback can also send the download URL to that service.
curl -s -X POST "https://grabgrab.fun/api/download" ... -d '{"url": "<VIDEO_URL>", "videoQuality": "<QUALITY>"}'Do not submit private, signed, or confidential media URLs unless you are comfortable sharing them with the GrabGrab service.