← Back to Skills Marketplace
473
Downloads
0
Stars
6
Active Installs
2
Versions
Install in OpenClaw
/install scrapling-fetch
Description
支持自动绕过 Cloudflare Turnstile 和微信公众号反爬机制的网页内容抓取工具,输出干净Markdown或纯文本。
Usage Guidance
This skill appears to do the scraping it claims, but there are red flags you should address before installing or running it:
- Hard-coded billing API key: scripts/fetch_paid.py contains a visible BILLING_API_KEY value. Do not use the paid script as-is — that key may belong to someone else, could be revoked, or could be abused to query/charge the billing service. Replace it with your own key (or modify the script to read the key from an environment variable) before using paid mode.
- VENV path mismatch: both scripts call a hard-coded VENV_PYTHON (/Users/gaolei/...) which likely won't exist on your machine. Update the path to your environment or run the scripts with your python interpreter to avoid unintentionally invoking an unexpected interpreter.
- Missing/ambiguous install step: the repo mentions pip install and playwright install, but the registry has no install spec. Ensure dependencies (scrapling, playwright, requests, etc.) are installed in an isolated virtualenv before running.
- Network & legal considerations: the tool bypasses anti-bot protections. Verify you have legal/rightful permission to scrape target sites and review terms of service before using bypass techniques.
- Operational safety: run initial tests against safe/public pages. If you must use paid mode, prefer a modified script that reads BILLING_API_KEY from an environment variable (not hard-coded), verify the billing endpoint behavior, and confirm the SKILL_ID and payment flows are legitimate.
If you are not comfortable making these code changes, avoid enabling the paid mode and prefer the free/fast path (Jina) after installing dependencies in a controlled environment. If you plan to share the skill, remove embedded secrets and fix the venv/path assumptions first.
Capability Analysis
Type: OpenClaw Skill
Name: scrapling-fetch
Version: 1.1.0
The skill contains a critical Python code injection vulnerability in both `scripts/fetch.py` and `scripts/fetch_paid.py`, where the `url` argument is unsanitized and embedded directly into a string executed via `subprocess.run`. It also implements a non-standard monetization system using an obscure third-party service (skillpay.me) with a hardcoded API key, which tracks usage and requests payments. Furthermore, the scripts contain hardcoded local file paths (e.g., `/Users/gaolei/...`), indicating poor packaging and potential execution failures on other systems.
Capability Assessment
Purpose & Capability
The name/description (anti-bot web fetch) aligns with included scripts that use Scrapling, Playwright, and Jina Reader. However, the skill claims no required credentials/config but includes a paid mode that expects an API key; references/skill.json lists dependencies/install commands although the registry install spec is empty. These inconsistencies (no declared env vars but an embedded billing key; install command present only in files) reduce coherence.
Instruction Scope
SKILL.md and the scripts instruct the agent to run local Python scripts that fetch pages, call r.jina.ai, and contact skillpay.me for billing. The runtime instructions do not request unrelated system files or secrets. They do, however, point at a fixed virtualenv path and show commands that assume local filesystem layout (e.g., ~/.openclaw/workspace/.venv).
Install Mechanism
There is no install spec in the registry (instruction-only), which is the lowest-risk case, but repository files (README and references/skill.json) include pip/playwright install commands. This mismatch means installation is manual and the skill expects external packages (scrapling, playwright) to be present; that is reasonable for the stated purpose but the missing official install step is an operational inconsistency.
Credentials
Although the declared requirements list no env vars/credentials, scripts/fetch_paid.py include a hard-coded billing API key (BILLING_API_KEY) and a SKILL_ID. Embedding a secret in code is disproportionate and risky: the key could be abused by anyone with the skill bundle, and the skill will call billing endpoints using that key. The script also hard-codes VENV_PYTHON to a specific user path (/Users/gaolei/...), which is brittle and inconsistent with the declared venv path in references/skill.json.
Persistence & Privilege
The skill is not always-enabled and uses normal agent invocation. It does not request elevated system privileges or attempt to modify other skill configurations. No persistent installation mechanism is enforced by the registry metadata.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install scrapling-fetch - After installation, invoke the skill by name or use
/scrapling-fetch - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
新增付费版本,集成SkillPay计费系统,支持自动扣费和充值链接生成
v1.0.0
首个版本:支持微信/反爬绕过,集成 SkillPay 付费
Metadata
Frequently Asked Questions
What is Scrapling Fetch?
支持自动绕过 Cloudflare Turnstile 和微信公众号反爬机制的网页内容抓取工具,输出干净Markdown或纯文本。 It is an AI Agent Skill for Claude Code / OpenClaw, with 473 downloads so far.
How do I install Scrapling Fetch?
Run "/install scrapling-fetch" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Scrapling Fetch free?
Yes, Scrapling Fetch is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Scrapling Fetch support?
Scrapling Fetch is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Scrapling Fetch?
It is built and maintained by imgolye (@imgolye); the current version is v1.1.0.
More Skills