ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawddocs Local

v1.0.0

Clawdbot documentation expert with decision tree navigation, search scripts, doc fetching, version tracking, and config snippets for all Clawdbot features

0· 23·1 current·1 all-time
byNetanel Abergel@netanel-abergel·duplicate of @tigertamvip/clawddocs-1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the bundled scripts and snippets (docs sitemap, search, fetch, track changes, config snippets). However the README/ SKILL.md promises features like downloading all docs, building a full-text index, and version tracking; the shipped scripts are simple stubs that only echo messages and do not implement those features. Metadata versions/owner IDs differ between registry metadata and _meta.json/package.json, suggesting provenance/versioning issues.
!
Instruction Scope
SKILL.md instructs the agent to run local scripts (search/fetch/build-index/track-changes) and to 'cite the source URL'. The scripts provided do not perform network access or indexing — they only echo actions (placeholders). That means the runtime instructions promise capabilities that the included code does not deliver; if the agent assumes the scripts do real work it may produce incorrect behavior. The SKILL.md also references using a browser and external docs (https://docs.clawd.bot/) which are legitimate but outside the local bundle; nothing in the package actually verifies or fetches that content.
Install Mechanism
Instruction-only with small shell scripts; there is no install spec, no downloads, and no archives to extract. This is low-risk from an installation standpoint.
Credentials
requires.env lists none (and no primary credential). Snippets include placeholders like ${DISCORD_TOKEN} and ${TELEGRAM_TOKEN} and reference an agent model 'anthropic/claude-sonnet-4-5' in examples. These are example config values, not runtime requirements, but the presence of credential placeholders (without declaring them) is a mild inconsistency users should be aware of — the skill does not request secrets but its snippets instruct how to insert them into configs.
Persistence & Privilege
always is false and the skill has no install mechanism that modifies system or other skills. It does not request persistent privileges or system-wide changes.
What to consider before installing
This package appears to be a local 'docs helper' stub rather than a fully implemented tool. Before installing or invoking it: (1) don't assume scripts will actually fetch or index docs — inspect/replace scripts if you need real behavior; (2) verify the owner/version (metadata mismatches suggest possible copy or fork); (3) never paste real API tokens into example files — the snippets show placeholders but provide no secret-handling guidance; (4) if you need full-text search or automated fetching, request a provenance or a released version that implements those features (or review/modify the scripts yourself); (5) it's low-risk to preview, but avoid granting secrets or running unreviewed network-download scripts until the implementation and source are confirmed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eccefmsz3b8hxs2a8m4wvvs8422bq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments