ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

web-skills-protocol

v1.0.0

Auto-discover and use Web Skills Protocol (WSP) skills when interacting with websites. Use this skill whenever the user asks you to interact with, use, or pe...

0· 325·0 current·1 all-time
byTresser@0xtresser
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the actual instructions: the skill only describes discovering /skills.txt or /agents.txt and fetching SKILL.md files to drive site-specific interactions. No unrelated binaries, env vars, or installs are required.
!
Instruction Scope
The runtime instructions require the agent to fetch and follow arbitrary remote SKILL.md files and act on them. That is necessary for the stated purpose, but it also means any website can serve instructions the agent will follow. The SKILL.md content becomes an execution surface and can contain adversarial directives (prompt-injection). The skill text does include sensible guardrails (respect robots.txt; ask user for auth) but does not specify validation, provenance checks, or sandboxing of remote instructions.
Install Mechanism
There is no install specification in the registry entry (instruction-only). The README shows optional curl-based install examples from raw.githubusercontent.com (a well-known host) — that is traceable. No archive downloads or obscure URLs are required by the skill itself.
Credentials
The skill declares no environment variables, credentials, or config-path access (proportionate). However, by design it will surface SKILL.md files that may request authentication or credentials for the target site; the SKILL.md instructs the agent to ask the user before using creds, but the skill does not enforce or validate that flow, creating a social-engineering risk.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and the registry flags are default. It does not request permanent privileges or modify other skills/config. No elevated persistence is requested.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contained unicode control character patterns flagged by the scanner. Control characters are not required for the protocol and are commonly used in adversarial prompt-injection obfuscation. This increases the risk that some published discovery/skill files could attempt to manipulate agent behavior.
What to consider before installing
This skill is coherent with its purpose — it makes an agent check for site-published SKILL.md files and follow them — but that capability is a double-edged sword. Before installing or enabling this skill, consider: 1) only allow automatic discovery for trusted sites or require explicit user confirmation before fetching/using a site's SKILL.md; 2) always ask the user before providing credentials or performing financial/account actions; 3) treat remote SKILL.md content as untrusted input: validate frontmatter (auth/base_url/rate_limit), limit what instructions the agent will follow automatically, and sandbox or audit actions (no silent exfiltration of sensitive data); 4) prefer policies that block or warn on SKILL.md files containing strange control characters or other obfuscation (the scanner found unicode-control-chars here); and 5) if you operate in a high-risk environment, do not enable autonomous invocation of web-published skills without additional safety checks. If you want help drafting user-confirmation prompts or a checklist for safe SKILL.md consumption, I can provide one.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cs37kh1468k655v9624jqjd828jb0
325downloads
0stars
1versions
Updated 12h ago
v1.0.0
MIT-0
Tresser@0xtresser
latest
Download

Web Skills Protocol — Agent Skill

When a user asks you to interact with a website, check for published skills first before attempting to scrape HTML, guess at UI elements, or reverse-engineer APIs.

Discovery Workflow

Step 1: Check for skills.txt

Fetch {origin}/skills.txt (e.g., https://bobs-store.com/skills.txt).

  • 200 response → Parse it. Proceed to Step 3.
  • 404 response → Go to Step 2.

Step 2: Check for agents.txt (fallback)

Fetch {origin}/agents.txt.

  • 200 response → Parse it. Proceed to Step 3.
  • Both 404 → The site does not support WSP. Fall back to normal browsing/scraping.

Step 3: Parse the discovery file

The discovery file is Markdown with this structure:

# Site Name
> Brief description of the site.
General notes (auth info, rate limits, etc.)

## Skills
- [Skill Name](/skills/skill-name/SKILL.md): What the skill does

## Optional
- [Extra Skill](/skills/extra/SKILL.md): Less important skills

Extract:

  1. Site description (the blockquote) — context for understanding the site
  2. General notes (prose paragraphs) — auth overview, rate limits, terms
  3. Skill entries — each - [Name](url): description line is one skill

Step 4: Match user intent to a skill

Compare the user's request against each skill's description. Pick the best match.

  • If the user's intent clearly matches one skill → fetch that SKILL.md
  • If the intent could match multiple skills → fetch all candidates, pick the best fit
  • If no skill matches → tell the user what skills ARE available and ask which to use
  • Skills under "## Optional" can be skipped if context window is tight

Step 5: Fetch and follow the SKILL.md

Fetch the matched skill's URL (e.g., /skills/search/SKILL.md).

The SKILL.md has two parts:

YAML frontmatter (between --- delimiters):

  • name — skill identifier
  • description — detailed trigger and capability info
  • version — skill version
  • auth — authentication method: none, api-key, bearer, oauth2
  • base_url — base URL for API calls (if different from site origin)
  • rate_limit — rate limit information (object with two optional sub-fields):
    • agent — the publisher's recommended rate limit for AI agents (e.g., 20/minute). This is the limit you SHOULD respect.
    • api — the actual API endpoint rate limit (e.g., 100/minute). You MUST NOT exceed this.

Markdown body — the actual instructions. Follow them directly. They contain:

  • API endpoints, parameters, and examples
  • Multi-step workflows
  • Error handling guidance
  • Authentication details

Step 6: Execute

Follow the SKILL.md instructions to complete the user's request. Use the specified base_url, auth method, and endpoints exactly as documented.

Rules

  1. Always check skills.txt first. Before any HTML scraping or UI automation on a website, check for WSP support. One HTTP request saves minutes of guessing.

  2. Respect robots.txt. If robots.txt disallows /skills/ or /agents/, do NOT fetch skill files from those paths.

  3. Cache within session. Fetch skills.txt/agents.txt once per site per session. Don't re-fetch on every interaction with the same site.

  4. Don't over-fetch. Only fetch the SKILL.md files you actually need. Don't download every skill "just in case."

  5. Auth requires user consent. If a skill requires authentication (auth is not none), tell the user what credentials are needed and where to get them. Never fabricate or guess credentials.

  6. Prefer skills over scraping. When a site publishes WSP skills, use them instead of parsing HTML. Skills give you structured API access — faster, more reliable, and what the site owner intended.

  7. Stay in scope. A skill describes specific operations. Don't extrapolate beyond what the skill documents. If the user wants something the skill doesn't cover, say so.

  8. Respect rate limits. If the skill specifies a rate_limit, respect both sub-fields:

    • rate_limit.agent — the publisher's recommended limit for AI agents. SHOULD NOT exceed this.
    • rate_limit.api — the hard API limit. MUST NOT exceed this. If only one sub-field is present, treat it as the effective limit.

Quick Reference

Discovery order:     /skills.txt → /agents.txt → no WSP support
Skill directory:     /skills/{name}/SKILL.md  or  /agents/{name}/SKILL.md
Skill format:        YAML frontmatter + Markdown instructions
Auth methods:        none | api-key | bearer | oauth2
Cache policy:        Once per site per session

Example

User says: "Search for wireless headphones under $100 on bobs-store.com"

  1. Fetch https://bobs-store.com/skills.txt → 200 OK
  2. Parse skill list → find "Product Search" skill matching "search" intent
  3. Fetch /skills/search/SKILL.md
  4. Read frontmatter: auth: none, base_url: https://api.bobs-store.com/v1
  5. Follow instructions: GET /products?q=wireless+headphones&max_price=100
  6. Return structured results to the user

Comments

Loading comments...