ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Uimap

Provides the accurate URL and step-by-step click operation path for completing tasks on websites. If the task involves operations on a web app, use this skil...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 180 · 1 current installs · 1 all-time installs
by@delai
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to provide URLs and step-by-step UI operation paths and the SKILL.md describes a CLI (uimap) and search/login commands that match that purpose. However, the registry metadata contains no install spec even though the runtime instructions explicitly require installing an external CLI; the disconnect is noteworthy but not necessarily malicious.
Instruction Scope
Instructions do not ask the agent to read local files or unrelated environment variables. They do instruct the user to run a CLI and authenticate via browser OAuth — which implies transmitting user queries and possibly site-specific data to a remote service. The SKILL.md does not document what data is sent or what OAuth scopes are requested.
!
Install Mechanism
Although an npm package is referenced (reasonable), the SKILL.md also recommends installing via a curl|bash script hosted at https://s.dwimg.top — a short/unfamiliar domain and a curl|bash install pattern are high-risk (arbitrary code execution). A global npm install can also run postinstall scripts; neither install path is captured in the registry metadata for review.
Credentials
The skill declares no required environment variables or credentials in the registry metadata. However, the runtime flow requires OAuth login to a remote service and will create persistent tokens/credentials in the user's environment or browser. The lack of declared primary credentials or explanation of required OAuth scopes is a gap.
Persistence & Privilege
The skill itself is instruction-only and not always-enabled. Installing the recommended CLI (npm global install or curl script) and performing OAuth login will create persistent artifacts (binaries, tokens) on the user's system — normal for a CLI but not disclosed in the registry metadata. The skill does not request elevated platform-wide privileges in its metadata.
Scan Findings in Context
[NO_SCAN_ARTIFACTS] expected: This is an instruction-only skill with no code files, so the regex scanner found nothing to analyze. That is expected for SKILL.md-only skills but leaves installation-time behavior (the external CLI) unanalyzed.
What to consider before installing
This skill's behavior largely depends on an external CLI and an OAuth login. Before installing or using it: (1) Do NOT run the curl | bash installer from s.dwimg.top; treat that as high-risk. (2) Prefer to install only from the official npm package after verifying the package owner, source repository, and recent publish history on npmjs.com. Inspect the package source or GitHub repo for postinstall scripts and what the CLI does. (3) When you run uimap login, check the OAuth provider and requested scopes — avoid granting broad permissions you don't understand. (4) If you must try it, run the CLI in a sandboxed environment (VM/container) first and monitor network activity. (5) Ask the publisher for an official homepage, repository link, and a copy of the install script for review; lack of those increases risk. Providing those artifacts would increase confidence and could change this assessment to benign.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.9
Download zip
latestvk9739qsyc3vp89ea956f7k3t2d834hg0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

uimap

search — Find step-by-step guides for any website task

Search for step-by-step operation guides to complete tasks on websites. Use when the user needs to know how to navigate or interact with a specific website.

# Find how to complete a task on a website
uimap search "<task description>"
uimap search "<task description>" --domain example.com
  • --domain [domain] — The domain of website, e.g. example.com

Examples

uimap search "how to create a new project in example.com"
uimap search "how to invite a team member" --domain example.com

The command returns operation instructions to complete the task.

Prerequisites

Install the CLI

Via npm:

npm install -g @refore-ai/uimap

Via CDN (if npm is unavailable):

curl -fsSL https://s.dwimg.top/uimap-install/install.sh | bash

See @refore-ai/uimap on npm for full installation options.

Login

Login to UIMap via browser OAuth. Opens a browser window to complete authentication interactively.

Usage:

uimap login

If you need to specify a region (defaults to World or the region set during installation):

uimap login --region World
uimap login --region China
  • --region <World|China> — Server region (optional)

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…