Read any website or search Google, even when sites block bots or are geo-restricted. Handles CAPTCHAs, JavaScript rendering, and anti-bot protection server-s...
Security Analysis
high confidenceThe skill's requirements and runtime instructions are internally consistent with its stated purpose (a curl-based front-end for Massive's Unblocker API) and it does not request unrelated system access or install arbitrary code.
Name and description (fetch blocked sites, handle CAPTCHAs/JS, search Google) match the declared requirements: only curl and a single API token (MASSIVE_UNBLOCKER_TOKEN) are required. The SKILL.md and README consistently point at the unblocker.joinmassive.com browser and search endpoints and show curl examples that use the token.
Instructions are narrowly scoped to making authenticated GET requests to Massive's Unblocker endpoints and looping over URLs; they explicitly refuse to proceed without MASSIVE_UNBLOCKER_TOKEN. However, the skill explicitly advises using it to bypass anti-bot protections, CAPTCHAs, paywalls and geo-restrictions — behavior that is high-risk from an abuse/terms-of-service perspective even though it is coherent with the product purpose. The SKILL.md does not direct reading other files, other env vars, or exfiltration to unexpected endpoints.
No install spec or code files are present (instruction-only). That minimizes local install risk; nothing is downloaded or written to disk by the skill itself.
Only a single API token (MASSIVE_UNBLOCKER_TOKEN) is required and is used directly in examples. The primaryEnv matches the declared required env var. There are no additional unrelated credentials or config paths requested.
The skill does not request always:true and is user-invocable (defaults). It does not attempt to modify other skills or system-wide settings; being instruction-only it has no mechanism to persist itself beyond the normal skill lifecycle.
Guidance
This skill is coherent: it just shells out to Massive's Unblocker REST endpoints using curl and a single API token. Before installing or enabling it, consider the following: - Token safety: The MASSIVE_UNBLOCKER_TOKEN is the only secret required. Treat it like any API key — do not paste it into public chat logs, share it, or commit it to repos. Prefer environment variables scoped to the agent runtime and rotate keys if possible. - Billing & access: The token likely ties to usage/billing and to a network of residential proxies that may incur costs. Verify pricing, quotas, and subaccount options in the provider dashboard before running broad scraping jobs. - Legal / policy risk: The skill is explicitly designed to bypass CAPTCHAs, paywalls, geo-blocking, and other anti-bot protections. Using it may violate target sites' terms of service or applicable law. Ensure you have the right to fetch the content and that your use case complies with policy and law. - Abuse potential: Because it can fetch arbitrary URLs and search Google from many regions, restrict its use to trusted users and audit queries. Consider limiting automated or bulk requests to avoid high-cost or high-risk activity. - Provider trust: The skill points to unblocker.joinmassive.com / clawpod.joinmassive.com. If you rely on this service, verify the provider's identity, privacy policy, data retention, and whether they retain or log fetched content (sensitive data could be sent to the service). Operationally: there is no local install or suspicious file I/O in the skill bundle, but the main risk is off-box (the remote service and the API token). If you need lower risk, avoid providing the token or use a short-lived/restricted token or a subaccount with limited credits.
Latest Release
v0.1.7
- All Bash/curl usage updated to require HTTPS via `curl --proto =https`. - `allowed-tools` updated to enforce the HTTPS protocol in curl commands. - Documentation and usage examples now explicitly show HTTPS enforcement for improved security.
More by @codeninja23
Published by @codeninja23 on ClawHub
