← Back to Skills Marketplace

Safe Web Fetch for Save Token

Name: Safe Web Fetch for Save Token
Author: bg1avd

by Rao Lin · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

303

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install safe-web-fetch-for-save-token

Description

安全的智能网页抓取技能，节省 50-80% Token。替代内置 web_fetch，自动使用 Jina Reader 清洗服务获取干净 Markdown。内置 URL 白名单验证、SSL 强制验证、敏感数据检测，防止 SSRF 和数据泄露。

Usage Guidance

This skill is mostly coherent but has a critical implementation vs. documentation mismatch: it will call the external Jina Reader (r.jina.ai) and send the original URL for server-side fetching and cleaning without running the script's sensitive-data checks first. That can leak API keys, tokens, or other secrets present on the page to an external service. Before installing or using it: - If you cannot tolerate sending pages (or their URLs) to an external service, do not use the 'Jina Reader' path; require the skill to fetch locally first and run sensitive-data detection before any external call. - Inspect or modify scripts/safe_fetch.py to enable detect_sensitive_data on the original page before calling Jina, or to skip Jina entirely and perform local cleaning. - Restrict allowed_domains in config.json to a small explicit allowlist if you must use this skill in a sensitive environment. - Be aware that the Jina request uses a path of the form https://r.jina.ai/http://{original}, which may not preserve the original scheme and could cause unexpected fetch behavior. If you make the code change so the script checks for sensitive patterns prior to any external request (or removes the Jina step entirely), the concerns above would be resolved and the skill would be coherent with its stated security guarantees.

Capability Analysis

Type: OpenClaw Skill Name: safe-web-fetch-for-save-token Version: 1.0.0 The skill bundle provides a utility for fetching and cleaning web content using the Jina Reader service or direct requests. Analysis of `scripts/safe_fetch.py` confirms the implementation of robust security features, including SSRF protection via IP resolution checks, mandatory SSL verification, and regex-based sensitive data detection (e.g., API keys, private keys) to prevent data leakage. The code uses standard Python libraries and lacks any indicators of malicious intent, obfuscation, or unauthorized data exfiltration.

Capability Assessment

ℹ Purpose & Capability

Name/description match the implementation: a Python script that fetches pages, tries Jina Reader for cleaned Markdown, and falls back to a local fetch+clean. Required binaries (python3) and lack of credentials/config paths are proportional. Use of an external cleaning service (r.jina.ai) is consistent with the stated 'Jina Reader' behavior.

⚠ Instruction Scope

SKILL.md promises sensitive-data detection and 'not sending pages containing API keys/tokens', but the code disables sensitive-data checks when it invokes Jina Reader (fetch_with_jina calls fetch_url_direct with check_sensitive=False). That means the original URL (and the page content) is sent to the external r.jina.ai service before any local sensitive-data detection, contradicting the documented security guarantees and enabling potential data exposure. Also the script constructs the Jina URL as https://r.jina.ai/http://{clean_url} (it injects an http:// path), which can cause scheme downgrades or mismatches relative to the original URL — another mismatch with the 'security-first' claim.

✓ Install Mechanism

Instruction-only skill with a bundled Python script; no install spec, no external downloads, and no packages installed by an installer. Low install risk.

✓ Credentials

The skill requests no environment variables, no external credentials, and no config paths beyond its own config.json. That is proportionate to its stated purpose.

✓ Persistence & Privilege

always is false, agent-invocable/autonomous invocation left default. The SKILL.md and code state the skill does not modify agent configuration. No privileged persistence or cross-skill configuration changes are requested.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install safe-web-fetch-for-save-token
After installation, invoke the skill by name or use /safe-web-fetch-for-save-token
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

首次发布：安全的智能网页抓取技能，节省 50-80% Token，内置 SSRF 防护、SSL 强制验证、敏感数据检测

Metadata

Slug safe-web-fetch-for-save-token

Version 1.0.0

License —

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Safe Web Fetch for Save Token?

安全的智能网页抓取技能，节省 50-80% Token。替代内置 web_fetch，自动使用 Jina Reader 清洗服务获取干净 Markdown。内置 URL 白名单验证、SSL 强制验证、敏感数据检测，防止 SSRF 和数据泄露。 It is an AI Agent Skill for Claude Code / OpenClaw, with 303 downloads so far.

How do I install Safe Web Fetch for Save Token?

Run "/install safe-web-fetch-for-save-token" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Safe Web Fetch for Save Token free?

Yes, Safe Web Fetch for Save Token is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Safe Web Fetch for Save Token support?

Safe Web Fetch for Save Token is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Safe Web Fetch for Save Token?

It is built and maintained by Rao Lin (@bg1avd); the current version is v1.0.0.

More Skills