ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Customer Service KB Builder

v1.0.0

Build AI-powered customer service knowledge bases by extracting FAQs from documents or websites, enabling automated replies and multi-format exports.

0· 464·3 current·3 all-time
by@dagangtj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, and included files align with a local KB builder: extract from files, scrape supplied URLs, build/search/export JSON knowledge bases. It does not request unrelated credentials or system access.
!
Instruction Scope
SKILL.md claims 'Website scraping respects robots.txt' and an 'Optional: OpenAI API key for enhanced matching', but the provided code (kb-builder.js) does not check robots.txt and contains no OpenAI integration. Additionally, the bundled script includes a truncated/possibly corrupted section in interactive mode (a partial 'console.lo...' line), which could cause runtime failures or undefined behavior. The skill will perform outbound HTTP(S) requests to any URL the user supplies (expected for a scraper), so users should be aware scraping is not sandboxed and will fetch remote content.
Install Mechanism
No install spec, no downloads, and the package is instruction + local Node.js script only. Nothing is written to disk by an installer; risk from install step is low.
Credentials
No required environment variables, credentials, or config paths declared. The code uses a local config.json by default and does not read secrets or external tokens as provided. The SKILL.md mention of an optional OpenAI API key is not reflected in the code, so no hidden credential use was found.
Persistence & Privilege
Skill is not always-enabled and does not request elevated/system-wide persistence or modify other skills. It runs as a normal CLI tool invoked by the user/agent.
What to consider before installing
This skill is broadly coherent for building local customer-service KBs, but do not install/run it blindly. Before use: (1) review and fix the kb-builder.js file — the interactive mode is truncated and may crash; (2) if you rely on the SKILL.md claim that scraping respects robots.txt, add explicit robots.txt checks in the code (currently missing); (3) if you expect OpenAI-enhanced matching, verify or implement safe optional integration rather than assuming the script will use your API key; (4) only scrape URLs you control or have permission to scrape, since the tool will fetch remote pages; and (5) run the script in a restricted environment or with non-sensitive sample data first. These issues look like sloppy implementation rather than intentional malice, but they are important to resolve before production use.

Like a lobster shell, security has layers — review code before you run it.

aivk972e0rnk6hzvvcr4k7j5p1tw581yq5yautomationvk972e0rnk6hzvvcr4k7j5p1tw581yq5ycustomer-servicevk972e0rnk6hzvvcr4k7j5p1tw581yq5yfaqvk972e0rnk6hzvvcr4k7j5p1tw581yq5yknowledge-basevk972e0rnk6hzvvcr4k7j5p1tw581yq5ylatestvk972e0rnk6hzvvcr4k7j5p1tw581yq5y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments