inline-asset-probe
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it says: fetch a user-supplied URL, extract inline base64 assets, and save decoded results locally.
This looks like a straightforward URL asset extraction helper. Before installing or running it, be aware that it executes a local PowerShell script, uses curl or wget to download the URL you provide, and writes untrusted decoded files to the output directory. Do not open extracted files as trusted content.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill executes the included script on the user's machine.
The skill asks the user to run a local PowerShell helper and bypass PowerShell execution policy. This is clearly disclosed and central to the skill, but it is still local code execution.
powershell -ExecutionPolicy Bypass -File run.ps1.txt -Url https://example.com
Review the included run.ps1.txt before running it, and only run it from a trusted copy of the skill.
The skill can download arbitrary web content selected by the user or agent and process it locally.
The script passes a user-supplied URL to curl or wget and follows redirects. This is expected for a URL probing utility, but the selected target controls what untrusted content is downloaded.
& $ToolPath -L -s -S $TargetUrl -o $tmpFile
Use it only on URLs you intend to inspect, and avoid pointing it at sensitive internal services unless that is deliberate.
Users have less provenance information than ideal and should not rely only on the registry's code-file classification.
The package has limited provenance metadata, and the runnable helper is stored as run.ps1.txt despite the registry summary saying no code files were present. The helper's contents are provided and appear purpose-aligned.
Source: unknown; Homepage: none; Code file presence: No code files present
Confirm the package source if possible and inspect run.ps1.txt before use.