Is melvin2016/webscraper-pulpminer safe?

https://github.com/openclaw/skills/tree/main/skills/melvin2016/webscraper-pulpminer

93
SAFE

PulpMiner is a well-structured, documentation-only skill that provides an interface to a legitimate commercial web scraping API (pulpminer.com). It contains no executable code, no prompt injection attempts, no instructions to access local files or credentials, and all canary honeypots remained intact throughout the audit. The primary risk profile is inherent to the third-party SaaS model: scraped web content is processed by PulpMiner's external servers, and users should be aware that any URL they ask the agent to scrape will transit through that service.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

LOW Third-party SaaS processes all scraped content -13

The skill's core function routes all scraped web content through api.pulpminer.com, an external commercial service. Content scraped at user direction will be processed by PulpMiner's servers and their LLM infrastructure. This is by design and transparent in the documentation, but represents an inherent data flow to infrastructure outside the user's control.

LOW Post-install connections from openclaw-gateway to 44.214.208.192 -10

After install, two persistent ESTABLISHED connections appear from openclaw-gatewa (pid=1091) to 44.214.208.192:443. This is the sandboxed execution environment's own gateway process phoning home to OpenClaw infrastructure — not caused by the skill — but it's worth noting as context for the network footprint.

INFO Canary file accesses attributed to monitoring infrastructure 0

Audit logs show read accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at two points: t=1771910232 (before clone) and t=1771910259 (after install). The pre-install timing, burst access pattern across all canaries simultaneously, and confirmed intact canary integrity all indicate these are automated scans by the oathe/openclaw monitoring harness, not the skill.

INFO Skill requires external API key via environment variable -5

The skill declares PULPMINER_API_KEY as a required environment variable through the standard ClawdBot metadata config mechanism. This is the correct pattern for credential management. No credential harvesting behavior observed in SKILL.md content.

INFO lock.json references unrelated skill dependency 0

The .clawhub/lock.json file lists academic-research-hub v0.1.0 as an installed dependency, but this skill has no such dependency and includes no code. This appears to be an artifact of the development or build environment and poses no security risk.