ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

sitemd

v0.1.3

Build and manage websites from Markdown. Create pages, generate content, configure settings, and deploy — all through MCP tools.

0· 152·0 current·0 all-time
byTyler Berggren@tyler-berggren

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tyler-berggren/sitemd.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "sitemd" (tyler-berggren/sitemd) from ClawHub.
Skill page: https://clawhub.ai/tyler-berggren/sitemd
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install sitemd

ClawHub CLI

Package manager switcher

npx clawhub@latest install sitemd
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the actions described in SKILL.md (creating pages, building, deploying). The declared primary credential SITEMD_TOKEN fits the claimed API-key-based automation. Minor mismatch: registry metadata lists no required binaries, yet the instructions expect a local ./sitemd/sitemd binary (or an ./sitemd/install script to fetch it). This could be legitimate (tool shipped per-project) but should be explained.
!
Instruction Scope
Instructions ask the agent to read project files (pages/, settings/, etc.) which is expected, and to perform auth via magic links (sitemd_auth_login + poll) which is plausible. However, the SKILL.md explicitly directs running an installer (./sitemd/install) to download a binary if none exists; the instructions give no source, checksum, or validation step. That step would let the skill fetch and execute arbitrary code at runtime and is out-of-band relative to the metadata provided.
!
Install Mechanism
There is no install spec in the registry (instruction-only), but the SKILL.md instructs running a bootstrap script to download a compiled binary. Because the skill package contains no code, the agent would need to fetch the installer/binary from the network at runtime; the SKILL.md does not specify trusted hosts, release URLs, or integrity checks. This is the highest-risk element of the skill.
Credentials
The only declared credential is SITEMD_TOKEN (primaryEnv), and the SKILL.md explains using either magic links or creating API keys for automation. No unrelated secrets or filesystem config paths are requested. The credential request appears proportionate to the advertised functionality.
Persistence & Privilege
always is false and the skill does not declare any system-wide persistence or modification of other skills. The skill can be invoked autonomously (default), which is normal; no privilege escalation or 'always' inclusion is requested.
What to consider before installing
This skill mostly looks like what it says (site management from Markdown), but it instructs the agent to download and run a binary via an installer script that is not included or documented. Before installing or running this skill: 1) Ask the publisher for the exact install URL(s), release host (GitHub release, official domain), and checksum/signature for the binary; 2) Prefer providing an API key (SITEMD_TOKEN) with minimal scope over live magic-link flows for automation; 3) Do not run unknown installers on a production machine—test in an isolated environment or container first; 4) If you cannot obtain a verifiable install source and integrity information, treat the installer step as high risk and avoid running it; 5) Request the skill maintainer to include an explicit install spec (trusted URL, checksum) or provide source code you can audit.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Primary envSITEMD_TOKEN
latestvk979sg86z25dp1t003qtfxaak1858044
152downloads
0stars
4versions
Updated 6d ago
v0.1.3
MIT-0
Tyler Berggren@tyler-berggren
latest
Download

sitemd

Build websites from Markdown with MCP tools. Works as an OpenClaw skill or plugin — your agent can create, manage, and deploy websites through conversation.

First Steps

  1. If no binary (sitemd/sitemd does not exist) — run ./sitemd/install to download it
  2. Call sitemd_status to understand the project state
  3. If fresh project — read files in pages/, then create pages with sitemd_pages_create
  4. Call sitemd_site_context with a content type to get site identity, conventions, and existing pages
  5. Validate with sitemd_content_validate
  6. Deploy with sitemd_deploy

Authentication

sitemd uses email magic links. When your owner needs to log in:

  1. Call sitemd_auth_login — returns a browser URL
  2. Send the URL to your owner as a message (WhatsApp, Telegram, Discord, etc.)
  3. They tap the link and complete login in their browser
  4. Call sitemd_auth_poll every few seconds until it returns approved

For automated deploys, use sitemd_auth_api_key to create a long-lived key, then set SITEMD_TOKEN in your environment.

Project Structure

  • sitemd — Compiled binary (run ./sitemd/sitemd launch)
  • install — Bootstrap script (run ./sitemd/install to download binary)
  • pages/ — Markdown content files with YAML frontmatter
  • settings/ — Site configuration (YAML frontmatter in .md files)
  • theme/ — CSS and HTML templates
  • media/ — Images and assets
  • site/ — Built output

MCP Tools

ToolPurpose
sitemd_statusProject state overview
sitemd_pages_createCreate new pages (writes file + nav + groups)
sitemd_pages_create_batchCreate multiple pages in one call
sitemd_pages_deleteDelete a page (cleans up nav + groups)
sitemd_groups_add_pagesAdd pages to group sidebar
sitemd_site_contextSite identity, pages, conventions
sitemd_content_validateValidate content quality
sitemd_seo_auditSEO health check with scored report
sitemd_initInitialize project from template
sitemd_buildBuild without deploying
sitemd_deployBuild and deploy site
sitemd_activateActivate site (permanent)
sitemd_cloneClone an existing website
sitemd_config_setSet backend config (routes secrets vs non-secrets)
sitemd_auth_loginStart login flow
sitemd_auth_pollPoll for login completion
sitemd_auth_statusCheck auth state and license info
sitemd_auth_api_keyCreate API key for automation
sitemd_auth_setupEnable user authentication
sitemd_update_checkCheck for updates
sitemd_update_applyApply updates

Read pages, settings, and groups files directly — no MCP tool needed for reads.

Settings Files

All configuration is in settings/*.md frontmatter:

FileControls
meta.mdSite title, brand name, description, URL
header.mdNavigation items, brand display, search
footer.mdFooter links, copyright, social
groups.mdPage groups for sidebars and dropdowns
theme.mdColors, fonts, layout, light/dark/paper modes
build.mdDev server port, output directory
deploy.mdDomain, deploy target
seo.mdOG images, sitemaps, structured data

Content Types

sitemd supports structured content generation. Call sitemd_site_context with a type to get conventions and existing pages. The syntax reference is below.

  • page — General pages. Second person, present tense, lead with reader value.
  • docs — Documentation. Imperative mood, show what to type, code blocks, tables.
  • blog — Blog posts. Opinionated, date line, 400-1200 words.
  • changelog — Release notes. Terse, Added/Changed/Fixed/Removed sections.
  • roadmap — Product roadmap. Shipped/In Progress/Planned sections.

Markdown Extensions

Beyond standard markdown, sitemd supports rich components. The syntax reference is below.

  • button: Label: /slug — styled buttons. Modifiers: +outline, +big, +newtab, +color:red
  • card: Title / card-text: / card-image: / card-link: — responsive card grids
  • embed: URL — auto-detects YouTube, Vimeo, Spotify, X, CodePen, etc.
  • gallery: with indented ![alt](url) — image grid with lightbox
  • image-row: with indented ![alt](url) — equal-height image row
  • ![alt](url +width:N +circle +bw +expand) — image modifiers
  • [text]{tooltip content} — inline tooltips
  • modal: id with indented content, trigger via [link](#modal:id) — modal dialogs
  • {#custom-id} — inline anchors
  • [text](url+newtab) — link modifiers
  • form: with indented YAML — forms
  • gated: type1, type2 ... /gated — gated sections
  • data: source / data-display: cards|list|table — dynamic data

Comments

Loading comments...