← 返回 Skills 市场
bg1avd

Safe Web Fetch for Save Token

作者 Rao Lin · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
303
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install safe-web-fetch-for-save-token
功能描述
安全的智能网页抓取技能,节省 50-80% Token。替代内置 web_fetch,自动使用 Jina Reader 清洗服务获取干净 Markdown。内置 URL 白名单验证、SSL 强制验证、敏感数据检测,防止 SSRF 和数据泄露。
安全使用建议
This skill is mostly coherent but has a critical implementation vs. documentation mismatch: it will call the external Jina Reader (r.jina.ai) and send the original URL for server-side fetching and cleaning without running the script's sensitive-data checks first. That can leak API keys, tokens, or other secrets present on the page to an external service. Before installing or using it: - If you cannot tolerate sending pages (or their URLs) to an external service, do not use the 'Jina Reader' path; require the skill to fetch locally first and run sensitive-data detection before any external call. - Inspect or modify scripts/safe_fetch.py to enable detect_sensitive_data on the original page before calling Jina, or to skip Jina entirely and perform local cleaning. - Restrict allowed_domains in config.json to a small explicit allowlist if you must use this skill in a sensitive environment. - Be aware that the Jina request uses a path of the form https://r.jina.ai/http://{original}, which may not preserve the original scheme and could cause unexpected fetch behavior. If you make the code change so the script checks for sensitive patterns prior to any external request (or removes the Jina step entirely), the concerns above would be resolved and the skill would be coherent with its stated security guarantees.
功能分析
Type: OpenClaw Skill Name: safe-web-fetch-for-save-token Version: 1.0.0 The skill bundle provides a utility for fetching and cleaning web content using the Jina Reader service or direct requests. Analysis of `scripts/safe_fetch.py` confirms the implementation of robust security features, including SSRF protection via IP resolution checks, mandatory SSL verification, and regex-based sensitive data detection (e.g., API keys, private keys) to prevent data leakage. The code uses standard Python libraries and lacks any indicators of malicious intent, obfuscation, or unauthorized data exfiltration.
能力评估
Purpose & Capability
Name/description match the implementation: a Python script that fetches pages, tries Jina Reader for cleaned Markdown, and falls back to a local fetch+clean. Required binaries (python3) and lack of credentials/config paths are proportional. Use of an external cleaning service (r.jina.ai) is consistent with the stated 'Jina Reader' behavior.
Instruction Scope
SKILL.md promises sensitive-data detection and 'not sending pages containing API keys/tokens', but the code disables sensitive-data checks when it invokes Jina Reader (fetch_with_jina calls fetch_url_direct with check_sensitive=False). That means the original URL (and the page content) is sent to the external r.jina.ai service before any local sensitive-data detection, contradicting the documented security guarantees and enabling potential data exposure. Also the script constructs the Jina URL as https://r.jina.ai/http://{clean_url} (it injects an http:// path), which can cause scheme downgrades or mismatches relative to the original URL — another mismatch with the 'security-first' claim.
Install Mechanism
Instruction-only skill with a bundled Python script; no install spec, no external downloads, and no packages installed by an installer. Low install risk.
Credentials
The skill requests no environment variables, no external credentials, and no config paths beyond its own config.json. That is proportionate to its stated purpose.
Persistence & Privilege
always is false, agent-invocable/autonomous invocation left default. The SKILL.md and code state the skill does not modify agent configuration. No privileged persistence or cross-skill configuration changes are requested.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install safe-web-fetch-for-save-token
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /safe-web-fetch-for-save-token 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
首次发布:安全的智能网页抓取技能,节省 50-80% Token,内置 SSRF 防护、SSL 强制验证、敏感数据检测
元数据
Slug safe-web-fetch-for-save-token
版本 1.0.0
许可证
累计安装 1
当前安装数 1
历史版本数 1
常见问题

Safe Web Fetch for Save Token 是什么?

安全的智能网页抓取技能,节省 50-80% Token。替代内置 web_fetch,自动使用 Jina Reader 清洗服务获取干净 Markdown。内置 URL 白名单验证、SSL 强制验证、敏感数据检测,防止 SSRF 和数据泄露。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 303 次。

如何安装 Safe Web Fetch for Save Token?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install safe-web-fetch-for-save-token」即可一键安装,无需额外配置。

Safe Web Fetch for Save Token 是免费的吗?

是的,Safe Web Fetch for Save Token 完全免费(开源免费),可自由下载、安装和使用。

Safe Web Fetch for Save Token 支持哪些平台?

Safe Web Fetch for Save Token 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Safe Web Fetch for Save Token?

由 Rao Lin(@bg1avd)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论