Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Site Cloner
v1.0.0Clone any live website into a self-contained, dependency-free HTML file with all content, styles, fonts, and images extracted and preserved. Use when asked t...
⭐ 0· 20·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's goal—fetching HTML/JS/CSS and assembling a standalone HTML file—is consistent with the instructions. However, the SKILL.md includes unrelated hard-coded local paths (C:\Users\MJ\.openclaw\workspace, C:\Users\MJ\.ssh\vps_key), a concrete VPS IP (187.124.92.226) and example GitHub user (michelle447). These examples go beyond 'how to clone a site' and imply specific local credentials/endpoints that are not justified by the general purpose.
Instruction Scope
Instructions tell the agent to download JS/CSS bundles and mine them for strings and image paths (expected), but also to read/write specific local filesystem locations, use a local SSH private key, scp/ssh to a hard-coded remote host, and push to GitHub. The SKILL.md never instructs the agent to prompt the user before using local keys or remote hosts, nor does it limit what local files to access. Mining JS bundles via regex may also inadvertently capture sensitive strings present in bundles (tokens, endpoints).
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. No packages are downloaded/installed by the skill itself. The main risk is runtime behavior, not installation.
Credentials
The metadata declares no required env vars or credentials, but the runtime instructions implicitly require and access sensitive local artifacts (private SSH key at a specific path) and external tooling (git, gh, ssh, scp) without declaring them. This mismatch (no declared credentials but explicit use of ~/.ssh and pushes to GitHub) is incoherent and increases the chance of accidental credential exposure or misuse. The skill also references a specific remote IP and port allocations, which is unexpected for a general-purpose cloner.
Persistence & Privilege
always is false and the skill is not force-included. It can run autonomously by default, which is normal. The real privilege concern is that the instructions perform network operations (scp/ssh, gh push) and write files to disk; combined with implicit use of local SSH keys this increases blast radius if the agent invokes the skill without explicit user consent. The skill does not request altering other skills' configs.
What to consider before installing
This skill appears to implement a website cloner, but it contains several red flags you should consider before using it:
- Hard-coded local paths and credentials: The instructions reference C:\Users\MJ\.openclaw\workspace and C:\Users\MJ\.ssh\vps_key and even a specific VPS IP (187.124.92.226) and GitHub user. Those are example values but could cause accidental use of your own keys/paths if run without careful review.
- Implicit credential access: The skill will call ssh/scp and gh/git commands and expects an SSH key at a path. The skill metadata declares no credentials or config paths — that mismatch is concerning. If you run it, verify it will not read your ~/.ssh or any secret files, and never let it access keys you care about.
- Undeclared required binaries: The metadata lists no required binaries, but the instructions require git, gh (GitHub CLI), ssh and scp and PowerShell's Invoke-WebRequest. Ensure these are present and that the agent will not run commands with elevated privileges automatically.
- Network and data exfiltration risk: The skill downloads JS/CSS and mines strings — this can accidentally extract secrets or proprietary text. It also offers to push to a private GitHub repo and to upload files to remote VPS hosts; double-check destinations and consider using throwaway credentials or sandboxed systems.
- What to ask the author or change before use: remove or parameterize any hard-coded paths/hosts, add explicit prompts and confirmations before accessing ~/.ssh or performing network pushes, declare required binaries and any env vars, and avoid embedding example real IPs/usernames. Prefer running this in a disposable VM/container and using a throwaway SSH key/GitHub repo for testing.
If you do test it, run it offline or in a sandbox, replace example remote targets with safe test endpoints, and review every generated command before execution. If you are not comfortable auditing these operations, consider using well-known mirroring tools (wget --mirror, httrack) run by a human instead.Like a lobster shell, security has layers — review code before you run it.
clonevk9798nwcyy0mkbtwq4p4w2c279847dk5htmlvk9798nwcyy0mkbtwq4p4w2c279847dk5latestvk9798nwcyy0mkbtwq4p4w2c279847dk5vpsvk9798nwcyy0mkbtwq4p4w2c279847dk5webvk9798nwcyy0mkbtwq4p4w2c279847dk5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.