Nlweb Protocol
PassAudited by ClawScan on May 13, 2026.
Overview
The skill appears to be a benign NLWeb guidance bundle, but it may guide the agent to browse documentation and suggest commands that affect cloud credentials, data indexes, and stored conversations.
This looks safe to use as an NLWeb reference skill. Expect it to suggest browsing official docs and running setup/deployment commands; review commands before execution, keep credentials in environment variables or a secret manager, and configure auth, tenant isolation, endpoint exposure, and conversation retention deliberately. This assessment is limited to the artifacts shown, since some listed files were omitted or truncated in the provided prompt.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may browse official NLWeb/GitHub documentation before answering NLWeb coding questions.
The skill directs the agent to use web search/fetch external documentation before implementation. This is disclosed and aligned with an evolving protocol, but it changes the agent's normal workflow.
Always web-search for the latest README, docs, and release notes before coding.
Allow this for NLWeb implementation work, but review any fetched content and keep your explicit instructions authoritative.
If run against the wrong backend or site name, this could remove indexed content from an NLWeb vector store.
The documentation includes a command that can delete a site's indexed data. It is presented as a user-directed maintenance step, not automatic behavior.
python -m data_loading.db_load --only-delete delete-site <site-name>
Run destructive data-loading commands manually, confirm the target site/backend, and test in staging before production.
A deployment may need extra middleware or separate indexes to prevent cross-tenant or unauthorized access.
The skill explicitly warns that NLWeb OAuth identifies users but does not provide all authorization or tenant-isolation controls by default.
It does not ship: - Fine-grained authorization (per-site ACLs) - API key auth for service-to-service callers - Multi-tenant data isolation at the retrieval layer
Implement authorization, tenant scoping, and least-privilege OAuth/API-key handling before exposing a multi-tenant NLWeb service.
User conversations may be stored in configured storage or vector backends if persistence is enabled.
The skill describes persistent conversation memory tied to authenticated users, which is expected for NLWeb but affects retention and privacy.
The session cookie carries the user identity; conversation persistence keys off that identity.
Set clear retention, disable persistence where unnecessary, and ensure conversation search is scoped per user and tenant.
External agent clients may be able to query the NLWeb backend if endpoints are exposed.
The skill guides exposing NLWeb through MCP and ChatGPT Apps SDK adapters, creating agent-to-service data flows that need normal endpoint controls.
Claude / Gemini / direct MCP clients → port 8000 `/mcp` - ChatGPT → port 8100 adapter OR Node.js server
Expose only intended endpoints and configure TLS, CORS, authentication, rate limits, and tenant boundaries before public deployment.