ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LLMs.txt Generator

v0.1.0

Generate a well-structured llms.txt file for any business website. Crawls the site, has a short conversation to fill in gaps, and produces an agent-optimized...

0· 359·0 current·0 all-time
byNaman Muley@ngm9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included code: scripts/crawl.py implements a 2-level crawler and extraction heuristics consistent with generating an llms.txt. However, SKILL.md hardcodes a Python virtualenv path (~/.virtualenvs/llms-txt-generator/bin/python3) and a workspace path (~/.openclaw/workspace/llms-txt-generator/scripts/crawl.py) even though the skill declares no required binaries or install steps — this mismatch is unexpected.
Instruction Scope
Instructions restrict actions to crawling the user-provided site and re-crawling extra URLs, producing /tmp/llms_business_info.json and conversational gap-filling. The crawler extracts emails and raw page text (including up to 8000 chars in deep mode). This is within the stated purpose, but extracting emails/raw text is sensitive and the skill will fetch any URLs the user (or agent) supplies, which could reach internal endpoints if given.
!
Install Mechanism
There is no install spec despite the code requiring Python packages (httpx, beautifulsoup4, lxml). The SKILL.md invokes a specific virtualenv path that is not provisioned by the registry metadata. That mismatch means the runtime may fail or an operator might create the virtualenv themselves (with attendant trust concerns). No external downloads or obscure URLs are used in the code, which is good, but dependency handling is underspecified.
Credentials
The skill requests no environment variables or credentials, which aligns with its stated purpose. It does extract email addresses and other public content from crawled pages; including emails in generated llms.txt is consistent with the referenced spec, but users should be aware public email addresses found by the crawler will be surfaced in output.
Persistence & Privilege
always is false and the skill doesn't request persistent system-wide privileges. It writes to /tmp/llms_business_info.json (transient) and reads/writes only its own workspace/script — no evidence it alters other skills or global config.
What to consider before installing
This skill appears to implement the described crawler and llms.txt generation, but before running it you should: (1) review the crawl.py source yourself (it only issues HTTP GETs and parses HTML, but it extracts emails and page text), (2) note that dependencies (httpx, beautifulsoup4, lxml) are required but not installed by the registry — either run it in a controlled virtualenv or provide the packages, (3) the SKILL.md hardcodes a virtualenv/workspace path that may not exist — adjust the invocation to your environment, (4) avoid asking it to crawl sensitive internal URLs unless you trust the environment (the crawler will fetch any URL you give it), and (5) consider running the skill in a sandboxed environment or with restricted network access until you're comfortable with its behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk9740kjbfrfn83v2h6c9m8qh8x821a1v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments