ClawHub

Hoverbot Chatbot

v1.0.1

Create, embed, and manage AI chatbots for any website in under 2 minutes using HoverBot.

2· 563·1 current·1 all-time
byVitaly Goncharenko@goncharenko
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description match the SKILL.md content: it explains how to create a HoverBot account, get embed code, upload knowledge, and embed a widget. There are no unrelated credential requests, binaries, or install steps that would be inconsistent with a chatbot/embed guide.
Instruction Scope
Instructions are limited to directing the user to HoverBot web pages, embedding a remote script (https://cdn.hoverbot.ai/widget.js), and uploading knowledge via the HoverBot dashboard. This is within scope for a widget integration, but embedding a remote script gives that third-party script runtime execution and access to page DOM and visitor interactions — a privacy/security consideration not discussed in the doc. The instructions do not ask the agent to read local files, environment variables, or secrets.
Install Mechanism
No install spec or code files are provided (instruction-only), so nothing is written to disk by the skill itself. Runtime behavior relies on loading a remote vendor script from cdn.hoverbot.ai — expected for a hosted widget but worth vetting the origin.
Credentials
The skill requests no environment variables, credentials, or config paths. The only credentials discussed are the API key and chatbotId generated by the HoverBot dashboard, which are expected for embedding a hosted widget.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It is an agent-invocable instruction-only skill and does not attempt to modify other skills or system-wide settings.
Assessment
This skill is a straightforward how-to for using HoverBot, but embedding a remote widget means the vendor's JavaScript will execute on your pages and can observe/interact with page content and visitors. Before deploying to production: (1) confirm the domain names (hoverbot.ai / cdn.hoverbot.ai) are legitimate; (2) review HoverBot's privacy and data-handling policies for uploaded documents and chat logs; (3) limit allowed domains in the dashboard and use least-privilege API keys; (4) test on a staging site first; and (5) avoid pasting sensitive secrets into the widget or knowledge uploads. If you need the agent to perform anything beyond guiding you to the dashboard and paste/embed instructions (for example, programmatic API calls), ask for explicit details and verify what credentials it will require.

Like a lobster shell, security has layers — review code before you run it.

latestvk972grtxr0f8qph4s73a38wty5819yf4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments