ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

clawpage-skill

Router for Clawpage workflows. Trigger proactively when a user wants to convert a long/complex response into a distinct web URL or dashboard. Also use for al...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 33 · 0 current installs · 0 all-time installs
by@kevin-zhan
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Clawpage router for create/update/page/template/management workflows) matches the included files: multiple templates, sub-skill SKILL.md files, and a publish script. All declared actions (copying templates, reading meta.md, publishing via scripts and the Clawpage API) are coherent with the stated purpose. There are no unrelated credentials or unrelated external services requested.
Instruction Scope
Runtime instructions are concrete and limited to: reading/writing workspace files (./.pages, ./templates, meta.md), copying template folders, running the included publish script (node ./scripts/clawpages_publish.mjs), and calling the Clawpage API (https://api.clawpage.ai) using a token stored in keys.local.json. These actions are necessary for page creation/publishing; the skill does not instruct broad system-wide scanning or exfiltration to unexpected endpoints.
Install Mechanism
No install spec is present (lower risk). The runtime expects invocation of a Node script (node ./scripts/clawpages_publish.mjs) but the registry metadata lists no required binaries; this is a minor mismatch — the agent environment must have Node available for the workflow to work. No network downloads or external installers are pulled by the skill itself.
Credentials
The skill does not require environment variables but it relies on a local config file keys.local.json (keys.local.example.json is included) that contains a Clawpage API token. Requesting a token for api.clawpage.ai is proportional to publishing pages. The skill will create keys.local.json from the example if missing — this is expected but worth noting because it writes a credentials-containing file into the workspace.
Persistence & Privilege
always:false and normal autonomous invocation settings. The skill writes and updates workspace files (meta.md, .pages/*, templates) and may create keys.local.json in the repository root; these are within the scope of a page publishing tool and do not modify other skills or system-wide agent settings.
Assessment
This skill appears to do exactly what it claims: route page/template management workflows, edit local template/page files, and call the Clawpage API using a token stored in keys.local.json. Before installing or invoking: 1) Inspect scripts/clawpages_publish.mjs (the included publish script) to confirm it behaves as expected and does not contact unexpected endpoints. 2) Be aware the skill will read/write workspace files (./.pages, ./templates, meta.md) and may create ./keys.local.json — do not store secrets there unless you intend to. 3) The workflow assumes Node is available even though 'required binaries' are not declared; ensure your agent environment can run 'node'. 4) Only provide an API token that you trust with page-publishing permissions and confirm publish options (TTL/page privacy) before proceeding. If you want extra assurance, run the publish script in dry-run mode first.
!
scripts/clawpages_publish.mjs:160
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk97ef1zyxkckf5k1vsmwdpftex8307pp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Clawpage Skill (Router)

Purpose

This router only decides which sub-skill to invoke. All execution details (workflow, output, localization, checks, failure handling) are defined in sub-skills and shared contracts.

Sub-skills

  1. create page
  • Path: skills/create-page/SKILL.md
  • Purpose: create a new page project and publish
  1. update page
  • Path: skills/update-page/SKILL.md
  • Purpose: update an existing page project and republish
  1. create management page
  • Path: skills/create-management-page/SKILL.md
  • Purpose: create or update the current read-only management page that lists user's pages
  1. create template
  • Path: skills/create-template/SKILL.md
  • Purpose: create a reusable template folder
  1. update template
  • Path: skills/update-template/SKILL.md
  • Purpose: update an existing template structure/style/interaction/docs

Routing Priority (Conflict Resolution)

Apply this priority order when intent is mixed:

  1. Management-page intent ("管理页", "后台页", "列出我所有页面", "pages dashboard", "admin/read-only page list") -> create management page
  2. Explicit page-id / pageId / "update existing page" signal -> update page
  3. Existing local project intent (.pages/<name>, "基于旧页面", "沿用现有页面") -> update page
  4. Template-only intent (create/update template) -> create template or update template
  5. Otherwise default to creating a new page -> create page

Keyword Hints

  • Create page: "new/create page", "from template", "发布新页面"
  • Update page: "update/rework/revise", "existing page", "page-id"
  • Create management page: "管理页", "页面管理", "列出所有页面", "dashboard of my pages", "read-only admin page"
  • Create template: "new template", "模板搭建"
  • Update template: "improve template", "模板改版"

Global Non-Negotiable Constraints

  • Never remove required HTML placeholders: __CONTENT_HTML__, __DEFAULT_CSS__, __DEFAULT_JS__, __PAGE_TITLE__, __PAGE_SUBTITLE__, __GENERATED_AT__, __EXPIRES_AT__.
  • Do not fabricate pageId for updates.
  • Use API default https://api.clawpage.ai unless user overrides.
  • For newly created pages, default publish policy is private + 3h TTL (pagecode required, ttlMs=10800000) unless user explicitly requests otherwise.
  • Management page must be read-only (no destructive operations).

References

  • API semantics: references/api-quickref.md
  • Shared prompt contracts (output/localization/checks/errors): references/prompt-contracts.md
  • Publish entrypoint: scripts/clawpages_publish.mjs

Files

35 total
Select a file
Select a file to preview.

Comments

Loading comments…