← 返回 Skills 市场
473
总下载
0
收藏
6
当前安装
2
版本数
在 OpenClaw 中安装
/install scrapling-fetch
功能描述
支持自动绕过 Cloudflare Turnstile 和微信公众号反爬机制的网页内容抓取工具,输出干净Markdown或纯文本。
安全使用建议
This skill appears to do the scraping it claims, but there are red flags you should address before installing or running it:
- Hard-coded billing API key: scripts/fetch_paid.py contains a visible BILLING_API_KEY value. Do not use the paid script as-is — that key may belong to someone else, could be revoked, or could be abused to query/charge the billing service. Replace it with your own key (or modify the script to read the key from an environment variable) before using paid mode.
- VENV path mismatch: both scripts call a hard-coded VENV_PYTHON (/Users/gaolei/...) which likely won't exist on your machine. Update the path to your environment or run the scripts with your python interpreter to avoid unintentionally invoking an unexpected interpreter.
- Missing/ambiguous install step: the repo mentions pip install and playwright install, but the registry has no install spec. Ensure dependencies (scrapling, playwright, requests, etc.) are installed in an isolated virtualenv before running.
- Network & legal considerations: the tool bypasses anti-bot protections. Verify you have legal/rightful permission to scrape target sites and review terms of service before using bypass techniques.
- Operational safety: run initial tests against safe/public pages. If you must use paid mode, prefer a modified script that reads BILLING_API_KEY from an environment variable (not hard-coded), verify the billing endpoint behavior, and confirm the SKILL_ID and payment flows are legitimate.
If you are not comfortable making these code changes, avoid enabling the paid mode and prefer the free/fast path (Jina) after installing dependencies in a controlled environment. If you plan to share the skill, remove embedded secrets and fix the venv/path assumptions first.
功能分析
Type: OpenClaw Skill
Name: scrapling-fetch
Version: 1.1.0
The skill contains a critical Python code injection vulnerability in both `scripts/fetch.py` and `scripts/fetch_paid.py`, where the `url` argument is unsanitized and embedded directly into a string executed via `subprocess.run`. It also implements a non-standard monetization system using an obscure third-party service (skillpay.me) with a hardcoded API key, which tracks usage and requests payments. Furthermore, the scripts contain hardcoded local file paths (e.g., `/Users/gaolei/...`), indicating poor packaging and potential execution failures on other systems.
能力评估
Purpose & Capability
The name/description (anti-bot web fetch) aligns with included scripts that use Scrapling, Playwright, and Jina Reader. However, the skill claims no required credentials/config but includes a paid mode that expects an API key; references/skill.json lists dependencies/install commands although the registry install spec is empty. These inconsistencies (no declared env vars but an embedded billing key; install command present only in files) reduce coherence.
Instruction Scope
SKILL.md and the scripts instruct the agent to run local Python scripts that fetch pages, call r.jina.ai, and contact skillpay.me for billing. The runtime instructions do not request unrelated system files or secrets. They do, however, point at a fixed virtualenv path and show commands that assume local filesystem layout (e.g., ~/.openclaw/workspace/.venv).
Install Mechanism
There is no install spec in the registry (instruction-only), which is the lowest-risk case, but repository files (README and references/skill.json) include pip/playwright install commands. This mismatch means installation is manual and the skill expects external packages (scrapling, playwright) to be present; that is reasonable for the stated purpose but the missing official install step is an operational inconsistency.
Credentials
Although the declared requirements list no env vars/credentials, scripts/fetch_paid.py include a hard-coded billing API key (BILLING_API_KEY) and a SKILL_ID. Embedding a secret in code is disproportionate and risky: the key could be abused by anyone with the skill bundle, and the skill will call billing endpoints using that key. The script also hard-codes VENV_PYTHON to a specific user path (/Users/gaolei/...), which is brittle and inconsistent with the declared venv path in references/skill.json.
Persistence & Privilege
The skill is not always-enabled and uses normal agent invocation. It does not request elevated system privileges or attempt to modify other skill configurations. No persistent installation mechanism is enforced by the registry metadata.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install scrapling-fetch - 安装完成后,直接呼叫该 Skill 的名称或使用
/scrapling-fetch触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
新增付费版本,集成SkillPay计费系统,支持自动扣费和充值链接生成
v1.0.0
首个版本:支持微信/反爬绕过,集成 SkillPay 付费
元数据
常见问题
Scrapling Fetch 是什么?
支持自动绕过 Cloudflare Turnstile 和微信公众号反爬机制的网页内容抓取工具,输出干净Markdown或纯文本。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 473 次。
如何安装 Scrapling Fetch?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install scrapling-fetch」即可一键安装,无需额外配置。
Scrapling Fetch 是免费的吗?
是的,Scrapling Fetch 完全免费(开源免费),可自由下载、安装和使用。
Scrapling Fetch 支持哪些平台?
Scrapling Fetch 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Scrapling Fetch?
由 imgolye(@imgolye)开发并维护,当前版本 v1.1.0。
推荐 Skills