Samvida
PassAudited by ClawScan on May 10, 2026.
Overview
Samvida appears aligned with its stated purpose, but users should notice that deployment can change live website-provider settings and uses sensitive provider tokens.
Before installing, make sure you are comfortable with a skill crawling the provided website, sending crawled content to your configured LLM provider, and optionally using Cloudflare/Webflow credentials to publish a live /llms.txt route. Review the generated file before deployment and use limited-scope credentials where possible.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A hostile or compromised page could try to steer the generated llms.txt or the conversation.
The skill intentionally places crawled website text into the model context for extraction. That is purpose-aligned, but website text is untrusted and could influence the draft if it contains prompt-injection-like instructions.
This returns `pages_raw` — the full raw text of every crawled page. Use it to extract structure with the LLM.
Review the generated draft carefully before accepting or deploying it, especially when crawling sites you do not control.
If run with the wrong domain or credentials, it could publish an unintended llms.txt route or change live Webflow publishing state.
Deployment can create or update live Cloudflare/Webflow configuration. This is disclosed and tied to the skill's purpose, but it is a meaningful live-site mutation.
Cloudflare Workers: Fully automated ... A Cloudflare Worker script named `samvida-{domain-slug}` ... A route: `{domain}/llms.txt` → that Worker ... Webflow ... Creates or updates a 301 redirect ... Publishes the siteDeploy only for domains you control, verify the generated file first, and confirm the target account, zone, site, and domain before running deployment.
These tokens can modify website-provider resources during the deploy step.
The optional deployment paths require provider credentials with permissions to change live hosting or publishing configuration. This is expected for deployment and is declared, but it is sensitive authority.
"CF_API_TOKEN": "Cloudflare API token with 'Edit Cloudflare Workers' permissions" ... "WEBFLOW_SITE_API_TOKEN": "Webflow Site API token with Assets, Sites, Redirects, and Publishing scopes"
Use least-privilege, temporary tokens where possible, revoke them after use if not needed, and avoid sharing them in chat transcripts or shell history.
Public contact details and website content may be processed by the configured LLM provider and included in the generated file.
The skill discloses that crawled public names/emails may be sent to the configured LLM provider and written to a temporary output file.
Crawled pages may contain publicly available contact details (emails, names). These are included in the llms.txt output and sent to your configured OpenClaw LLM provider for generation. No data is stored by the skill beyond the generated file at /tmp/samvida_llms.txt.
Avoid crawling private pages or adding confidential extra URLs, and review the output for personal or sensitive details before deployment.
Manual dependency installation can vary by environment and package version.
The skill relies on manually installed Python dependencies rather than a pinned install spec. This is common for local tooling but gives less reproducible dependency provenance.
Missing dependencies. Run: pip install httpx beautifulsoup4 lxml
Install dependencies in an isolated virtualenv and consider pinning package versions if using this in a production workflow.