ClawHub

TinyFish Web Agent

v1.0.2

Use TinyFish web agent to extract/scrape websites, extract data, and automate browser actions using natural language. Use when you need to extract/scrape data from websites, handle bot-protected sites, or automate web tasks.

3· 2.9k·4 current·4 all-time
bySimantak Dabhade@simantak-dabhade
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and included script both require a TINYFISH_API_KEY and call https://agent.tinyfish.ai, which is coherent with the stated purpose. However, the registry-level Requirements summary in the provided metadata claims 'Required env vars: none' — this is an internal inconsistency that should be corrected or explained.
Instruction Scope
Runtime instructions are narrowly scoped to calling the TinyFish API via curl and to verify the TINYFISH_API_KEY before proceeding. The skill does not instruct the agent to read unrelated system files or other credentials. Note: the agent will send page content (the thing being scraped) to the TinyFish service — expected for a scraper, but this means scraped data (which may include PII or secrets) is transmitted off-host.
Install Mechanism
This is instruction-only with one small helper script; no install spec, no external downloads, and no archives are extracted. The included bash script simply builds a JSON payload and calls the documented API endpoint.
Credentials
Only one credential (TINYFISH_API_KEY) is used/required by the SKILL.md and script, which is proportional to the described remote API usage. However, the registry metadata omitted this requirement, creating ambiguity about expected credentials.
Persistence & Privilege
The skill does not request always: true and has no special persistence or ability to modify other skills or global agent settings. It runs on demand and uses normal network calls.
What to consider before installing
This skill appears to do what it says: send scraping requests to TinyFish using a TINYFISH_API_KEY. Before installing, consider the following: - Confirm the credential mismatch: the SKILL.md and script require TINYFISH_API_KEY, but the top-level metadata omitted it. Ask the publisher to correct the manifest or explain why it's missing. - Data exfiltration risk: scraped pages (HTML, form responses, etc.) are sent to agent.tinyfish.ai. If you intend to scrape pages that contain sensitive data (credentials, PII, private endpoints), do not use this skill unless you have explicit permission and trust the TinyFish service and its privacy/security controls. - Legal/ethical risk: the 'stealth' browser_profile and proxy options explicitly enable evading bot protections and geolocation restrictions. Using those features can violate site terms of service or local law—review the target site's terms and applicable law before use. - Verify publisher/trust: the Source is unknown; check the homepage, documentation, and publisher identity (owner ID) before entrusting API keys. Prefer storing API keys in secure vaults rather than in plaintext files; if using the suggested Claude-specific settings file, be aware that file-level storage may expose secrets to other local processes. - If you need confidentiality, consider running your own scraper or a self-hosted alternative so scraped data never leaves your environment. If the publisher provides more information (official docs, privacy/security policy, or an updated registry manifest that includes the TINYFISH_API_KEY requirement), re-evaluate — that could raise confidence toward 'benign'.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dcf89cb0ae9487w52wcv3q180x73x
2.9kdownloads
3stars
3versions
Updated 1mo ago
v1.0.2
MIT-0
Simantak Dabhade@simantak-dabhade
latest
Download

TinyFish Web Agent

Requires: TINYFISH_API_KEY environment variable

Pre-flight Check (REQUIRED)

Before making any API call, always run this first to verify the key is available:

[ -n "$TINYFISH_API_KEY" ] && echo "TINYFISH_API_KEY is set" || echo "TINYFISH_API_KEY is NOT set"

If the key is not set, you MUST stop and ask the user to add their API key. Do NOT fall back to other tools or approaches — the task requires TinyFish.

Tell the user:

You need a TinyFish API key. Get one at: https://agent.tinyfish.ai/api-keys

Then set it so the agent can use it:

Option 1 — Environment variable (works everywhere):

export TINYFISH_API_KEY="your-key-here"

Option 2 — Claude Code settings (Claude Code only): Add to ~/.claude/settings.local.json:

{
  "env": {
    "TINYFISH_API_KEY": "your-key-here"
  }
}

Do NOT proceed until the key is confirmed available.

Best Practices

  1. Specify JSON format: Always describe the exact structure you want returned
  2. Parallel calls: When extracting from multiple independent sites, make separate parallel calls instead of combining into one prompt

Basic Extract/Scrape

Extract data from a page. Specify the JSON structure you want:

curl -N -s -X POST "https://agent.tinyfish.ai/v1/automation/run-sse" \
  -H "X-API-Key: $TINYFISH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://example.com",
    "goal": "Extract product info as JSON: {\"name\": str, \"price\": str, \"in_stock\": bool}"
  }'

Multiple Items

Extract lists of data with explicit structure:

curl -N -s -X POST "https://agent.tinyfish.ai/v1/automation/run-sse" \
  -H "X-API-Key: $TINYFISH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://example.com/products",
    "goal": "Extract all products as JSON array: [{\"name\": str, \"price\": str, \"url\": str}]"
  }'

Stealth Mode

For bot-protected sites, add "browser_profile": "stealth" to the request body:

curl -N -s -X POST "https://agent.tinyfish.ai/v1/automation/run-sse" \
  -H "X-API-Key: $TINYFISH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://protected-site.com",
    "goal": "Extract product data as JSON: {\"name\": str, \"price\": str, \"description\": str}",
    "browser_profile": "stealth"
  }'

Proxy

Route through a specific country by adding "proxy_config" to the body:

curl -N -s -X POST "https://agent.tinyfish.ai/v1/automation/run-sse" \
  -H "X-API-Key: $TINYFISH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://geo-restricted-site.com",
    "goal": "Extract pricing data as JSON: {\"item\": str, \"price\": str, \"currency\": str}",
    "browser_profile": "stealth",
    "proxy_config": {"enabled": true, "country_code": "US"}
  }'

Output

The SSE stream returns data: {...} lines. The final result is the event where type == "COMPLETE" and status == "COMPLETED" — the extracted data is in the resultJson field. Claude reads the raw SSE output directly; no script-side parsing is needed.

Parallel Extraction

When extracting from multiple independent sources, make separate parallel curl calls instead of combining into one prompt:

Good - Parallel calls:

# Compare pizza prices - run these simultaneously
curl -N -s -X POST "https://agent.tinyfish.ai/v1/automation/run-sse" \
  -H "X-API-Key: $TINYFISH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://pizzahut.com",
    "goal": "Extract pizza prices as JSON: [{\"name\": str, \"price\": str}]"
  }'

curl -N -s -X POST "https://agent.tinyfish.ai/v1/automation/run-sse" \
  -H "X-API-Key: $TINYFISH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://dominos.com",
    "goal": "Extract pizza prices as JSON: [{\"name\": str, \"price\": str}]"
  }'

Bad - Single combined call:

# Don't do this - less reliable and slower
curl -N -s -X POST "https://agent.tinyfish.ai/v1/automation/run-sse" \
  -H "X-API-Key: $TINYFISH_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://pizzahut.com",
    "goal": "Extract prices from Pizza Hut and also go to Dominos..."
  }'

Each independent extraction task should be its own API call. This is faster (parallel execution) and more reliable.

Comments

Loading comments...