anydocs - Generic Documentation Indexing & Search
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with documentation search, but users should review it because its setup tests can alter local anydocs state and browser indexing has unclear URL-scope controls.
Install only if you are comfortable with a local documentation scraper/cache. Prefer manual virtual-environment installation over running setup.sh, or inspect/modify setup.sh so tests do not touch your real ~/.anydocs data. If using browser rendering, use trusted documentation sites, keep the gateway token private, and verify URL filtering before indexing untrusted sitemaps.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the setup script during install or upgrade could clear existing documentation indexes and leave or overwrite a test profile in the user's anydocs configuration.
The setup script automatically runs the included test suite. In test_anydocs.py, those tests instantiate default ConfigManager/CacheManager objects and include `deleted = cache.clear_cache()`, so setup can affect the user's real anydocs cache/config rather than isolated test state.
echo "Running tests..." python3 test_anydocs.py
Make tests opt-in, run them only against temporary config/cache directories, and warn before any setup step modifies or clears existing user data.
If a configured or compromised sitemap lists unexpected URLs, browser rendering may visit pages the user did not intend to index, potentially including non-documentation or internal locations.
The HTTPS validation is conditional on a gateway token, and sitemap URLs are added as-is in the shown code. This weakens the documented browser-rendering boundary and may allow browser rendering of URLs outside the intended documentation scope unless later code filters them.
if use_browser and gateway_token:
if not base_url.startswith("https://"):
raise ValueError(...)
...
for loc in soup.find_all("loc"):
url = loc.get_text(strip=True)
if url:
urls.append(url)Enforce HTTPS whenever browser rendering is enabled, and filter every discovered URL to the configured base URL or same origin before any HTTP, Playwright, or gateway browser request.
If the gateway token is exposed or sent to an untrusted gateway URL, someone else could potentially invoke browser tooling with the user's authority.
Optional browser rendering uses an OpenClaw gateway bearer token. This is purpose-aligned and documented, but it is still a credential and should only be sent to a trusted gateway URL.
headers = {
"Authorization": f"Bearer {self.gateway_token}",
"Content-Type": "application/json"
}
resp = requests.post(f"{self.gateway_url}/tools/invoke", ...)Prefer the OPENCLAW_GATEWAY_TOKEN environment variable, keep the gateway URL local/trusted, avoid putting tokens in shell history, and declare the optional credential in metadata.
Indexed internal or private docs may remain on disk and be searchable until the cache expires or is cleared.
The skill intentionally persists fetched documentation and indexes locally. This is expected for a search/indexing tool, but it can include private or internal documentation if the user indexes those sites.
- Pages cached locally with 7-day TTL (configurable) - Search indexes cached for instant second searches - Configuration stored in `~/.anydocs/config.json`
Only index documentation you are allowed to store locally, protect the ~/.anydocs directory, and use the cache-clear commands when the data should no longer persist.