Website Pickpocket
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is a broad website-cloning scraper whose docs include session-cookie use and anti-scraping bypass tips, so it should be reviewed carefully before use.
Only use this skill for websites you own or have explicit permission to copy. Do not provide real session cookies unless you understand that private logged-in content may be saved into the output. Because no implementation is included, verify the source of any `pickpocket` CLI before running it, and review generated JavaScript before opening or deploying the copied site.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following this guidance could help bypass a website's anti-scraping controls or crawl sites outside the user's authorization.
The skill explicitly suggests using user-agent spoofing or a proxy when anti-scraping protections block the crawler.
问题: 反爬虫拦截 ... 解决: 使用 `--user-agent` 伪装或配置代理
Use only on sites you own or are authorized to copy, avoid bypassing anti-bot controls, and require explicit user confirmation for proxy, spoofed user-agent, or large crawl settings.
If used with real session values, the crawler may copy private or account-protected pages into local output files.
The skill supports injecting session cookies and localStorage values, which can grant authenticated access to account-specific or private web content.
登录态保持 ... session:\n cookies:\n - name: session_id\n value: "xxx"\n localStorage:\n - key: user
Only provide session cookies for authorized targets, restrict allowed domains and paths, and treat generated output as sensitive if it was captured while logged in.
A user or agent may need to run an external `pickpocket` command whose source and behavior are not verified by this skill package.
The reviewed package does not include the `pickpocket` executable or dependency definitions, so the actual implementation provenance cannot be assessed from these artifacts.
No install spec — this is an instruction-only skill.
Install any referenced CLI only from a trusted source, review its package/code separately, and avoid running unknown binaries.
Running or opening the generated site may execute JavaScript copied from the target website.
The skill downloads JavaScript and extracts inline scripts as part of producing runnable website/project output.
| JS | 下载、提取内联脚本 |
Review generated code before running it locally, especially when cloning unfamiliar sites or authenticated pages.