Back to skill
Skillv1.0.0
ClawScan security
Sitemap Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 1:08 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (crawling a site and producing sitemap.xml); it does not request secrets or install remote code and contains no signs of exfiltration or unrelated capabilities.
- Guidance
- This skill appears to be what it claims: a local Python crawler that generates sitemap.xml. Before using it, ensure you have permission to crawl the target site (and respect robots.txt even though the script doesn't), avoid pointing it at internal/private URLs you don't want probed, and be careful with the output path (it will overwrite files). Install the declared pip dependencies in a controlled environment. If you need robots.txt compliance or more aggressive rate-limiting/URL canonicalization, review or modify the script before running.
Review Dimensions
- Purpose & Capability
- okName/description match the included script and SKILL.md. The Python crawler uses requests and BeautifulSoup as declared, only fetches same-domain HTML pages, skips binary resources, and outputs a sitemap — all expected for this purpose.
- Instruction Scope
- noteInstructions are limited to running the provided script with options. The script issues HTTP requests to the target URL(s) and writes an output file; it does not read other system files or environment variables. Notes: it does not check robots.txt (so may crawl pages a site disallows), and it will crawl whatever URL you provide (including internal/private addresses if you pass them), so exercise caution about targets and permissions.
- Install Mechanism
- okNo install spec; the skill is instruction+script only. Dependencies are standard pip packages (requests, beautifulsoup4) and are declared in SKILL.md. Nothing is downloaded from arbitrary URLs or installed silently.
- Credentials
- okThe skill requests no environment variables or credentials. The script operates with only network access to the user-specified target and local filesystem write access for the output file.
- Persistence & Privilege
- okNo special persistence is requested (always:false). The skill does not modify other skills or system config. It runs only when invoked.