ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mdorigin

v0.2.0

Build, preview, and deploy markdown-first sites with local preview, Cloudflare bundles, and agent-readable raw markdown routes.

0· 54·1 current·1 all-time
by@jolestar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (build, preview, deploy mdorigin sites) align with the commands and docs in SKILL.md. However, the instructions assume a Node/npm environment and Cloudflare/R2 deployment capabilities while the skill metadata declares no required binaries or credentials — an internal inconsistency.
Instruction Scope
SKILL.md stays on-topic: it documents installing the mdorigin npm package, running local dev/build commands, calling the project's public docs and search API, and a Cloudflare deploy flow. It does not instruct the agent to read unrelated host files or exfiltrate local data.
Install Mechanism
This is instruction-only (no install spec). The doc recommends running npm install -g or project-local npm install, which will install code from the npm registry — normal for this purpose but it means the agent/operator will run network installs and execute third-party code. No direct download URLs or extract steps are present in the skill itself.
!
Credentials
The SKILL.md references Cloudflare/R2 deployment and a bucket name placeholder but the skill lists no required environment variables or primary credentials. Deploying to Cloudflare/R2 typically requires API tokens/credentials (and possibly wrangler or other tooling). Also, the metadata fails to declare npm/node as required binaries even though the instructions assume them. The omission could be benign (author expects the environment to provide them) but it is a surprising gap the user should confirm.
Persistence & Privilege
always is false and there are no code files or install hooks in the skill bundle; it does not request persistent or elevated agent privileges. Autonomous invocation is allowed by default but is not combined with other high-risk flags.
What to consider before installing
This skill is mostly a usage guide for the mdorigin npm tool, but it omits some important operational details. Before installing or letting an agent run these commands: 1) Confirm you have/allow Node and npm on the host (the SKILL.md assumes them though metadata doesn't list them). 2) Inspect the mdorigin npm package (source repository, npm page) before installing, especially if installing globally. 3) If you plan to use the Cloudflare/R2 deploy flow, prepare scoped Cloudflare API tokens and verify where/when they will be provided — the skill does not declare or request these credentials. 4) Prefer project-local installs (npm --save-dev) over global installs if you want tighter control. 5) Treat the listed remote docs (mdorigin.jolestar.workers.dev) as third-party endpoints; verify you trust that domain before allowing automated agents to fetch or post data. If you want to be cautious, run the recommended commands manually in a controlled environment first and confirm what credentials the mdorigin tool actually requires.

Like a lobster shell, security has layers — review code before you run it.

latestvk973e1mqkfbjg3ct368qxjpgcx83vcww

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments