ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jits Builder

Instantly build, deploy, and access single-page, vanilla JS mini-apps from voice or text descriptions via a Cloudflare tunnel URL.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.7k · 0 current installs · 0 all-time installs
byDanny Shmueli@dannyshmueli
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes building single-file client apps and making them available via a Cloudflare tunnel, which legitimately requires Node.js (to serve) and a cloudflared binary (to create tunnels). However, the skill does not document how Cloudflare auth/certificates are provided or why no Cloudflare credentials or configuration are declared; that omission is inconsistent with the stated deployment goal.
!
Instruction Scope
Runtime instructions instruct the agent to save generated apps under /data/clawd/jits-apps/, start local servers, and create Cloudflare tunnels. They also state cloudflared will be auto-downloaded to /tmp if missing. Those runtime actions include network exposure and arbitrary binary download/execution and are broader than a simple code-generation helper — the SKILL.md does not limit or explain where the binary comes from or how tunnels are authenticated.
!
Install Mechanism
There is no formal install spec, but the skill claims it will auto-download the cloudflared binary at runtime. Auto-downloading and executing binaries at runtime is higher risk when the source/URL is not documented. package.json exists (implying Node usage) but there is no declared install step or vetted source list.
!
Credentials
No environment variables or credentials are declared despite the skill creating public tunnels; in practice cloudflared typically requires authentication (a cert or account linkage). The lack of declared credentials or guidance for how to securely supply them is a mismatch between required capabilities and declared requirements.
!
Persistence & Privilege
The skill is not marked always:true, but model invocation is not disabled. That means the agent could autonomously run the script, download a binary, start servers and tunnels, and publish URLs without additional gating. Combined with network-exposing behavior, this is a notable privilege to leave unconstrained.
What to consider before installing
This skill's goal (quickly build and publish single-file apps) is plausible, but it performs risky runtime actions: auto-downloads a binary and creates public tunnels. Before installing or enabling it, review the jits.sh script content to see exactly what it downloads and from where, and verify package.json dependencies. Prefer running it in an isolated environment (container or sandbox). Require explicit Cloudflare credentials or a documented, trusted auth flow rather than implicit auto-downloading of cloudflared. If you will allow model-initiated runs, consider disabling autonomous invocation or restricting the skill so it cannot start tunnels without your explicit approval.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975h5c42k8h7ptcwj3xkg0ec5804ffm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

JITS Builder - Just-In-Time Software 🚀

Build instant mini-apps from voice or text descriptions. Describe what you need, get a working tool deployed in seconds.

What is JITS?

Just-In-Time Software - the idea that you don't need to find or install tools. You describe what you need and it gets built on the spot.

"I need a timer that plays a sound after 25 minutes" "Make me a tool to split a bill between friends"
"Create a page where I can paste JSON and see it formatted"

Requirements

  • Cloudflared binary (auto-downloads to /tmp/cloudflared if missing)
  • Node.js (for serving the app)

How It Works

  1. Describe - Voice or text, explain what you want
  2. Generate - Agent builds a single-file HTML/JS/CSS app
  3. Deploy - Cloudflare tunnel makes it instantly accessible
  4. Use - Get a URL, use your tool, share it

Usage

Just ask naturally:

"Build me a pomodoro timer"
"I need a quick tool to convert CSV to JSON"
"Make a tip calculator"
"Create a color palette generator"

The agent will:

  1. Generate the HTML/JS code
  2. Save to /data/clawd/jits-apps/<name>.html
  3. Serve on a local port
  4. Create Cloudflare tunnel
  5. Return the public URL

Managing JITS Apps

# List running apps
/data/clawd/skills/jits-builder/jits.sh list

# Stop an app
/data/clawd/skills/jits-builder/jits.sh stop <name>

App Guidelines

When building JITS apps:

  1. Single file - All HTML, CSS, JS in one file
  2. No dependencies - Use vanilla JS, no external libraries
  3. Mobile-friendly - Responsive design
  4. Dark theme - Looks good, easy on eyes
  5. Self-contained - No backend/API calls needed
  6. Branded - Include "Built with JITS" badge

Template Structure

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>🚀 JITS - [App Name]</title>
  <style>
    /* Dark theme, centered layout */
    body {
      font-family: -apple-system, sans-serif;
      background: linear-gradient(135deg, #1a1a2e, #16213e);
      min-height: 100vh;
      display: flex;
      align-items: center;
      justify-content: center;
      color: white;
    }
    /* ... app styles ... */
  </style>
</head>
<body>
  <div class="container">
    <h1>[App Title]</h1>
    <div class="badge">Built with JITS</div>
    <!-- App content -->
  </div>
  <script>
    // App logic
  </script>
</body>
</html>

Example Apps

AppDescription
Pomodoro Timer25/5 min work/break cycles with sound
Tip CalculatorSplit bills with custom tip %
JSON FormatterPaste JSON, see it pretty-printed
Color PickerGenerate and copy color palettes
CountdownTimer to a specific date/event
QR GeneratorText to QR code
Unit ConverterLength, weight, temperature
Decision MakerRandom picker for choices

Limitations

  • Single-page only - No multi-page apps
  • No backend - Client-side only, no databases
  • Temporary URLs - Tunnels expire when stopped
  • No persistence - Data doesn't survive refresh (use localStorage if needed)

Directory Structure

/data/clawd/jits-apps/
├── pomodoro.html      # App HTML
├── pomodoro.pid       # Server process ID
├── pomodoro.port      # Port number
├── pomodoro.url       # Tunnel URL
└── pomodoro.tunnel.pid # Tunnel process ID

"The best tool is the one you build exactly when you need it." 🐱🦞

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…