ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

sitemd plugin

v0.1.3

Build and manage websites from Markdown. Create pages, generate content, configure settings, and deploy — all through MCP tools.

0· 114·0 current·0 all-time
byTyler Berggren@tyler-berggren

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tyler-berggren/sitemd-plugin.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "sitemd plugin" (tyler-berggren/sitemd-plugin) from ClawHub.
Skill page: https://clawhub.ai/tyler-berggren/sitemd-plugin
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install sitemd-plugin

ClawHub CLI

Package manager switcher

npx clawhub@latest install sitemd-plugin
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (build/manage websites from Markdown) align with payload: MCP tooling names, CLI wrappers, and a bootstrap installer are all appropriate. The declared primary credential (SITEMD_TOKEN) matches the documented API-key use for automated deploys. Minor metadata inconsistency: registry metadata listed "Required env vars: none" even though primaryEnv is SITEMD_TOKEN in SKILL.md/openclaw metadata — this is likely a bookkeeping omission but should be fixed.
Instruction Scope
SKILL.md instructs the agent to read site files (pages/, settings/) and to run MCP tools (status, pages_create, deploy, auth flows). It also instructs sending the auth magic-link URL to the owner via messaging (WhatsApp/Telegram/Discord), which is expected for email-magic workflows but means the agent will need a messaging connector to communicate the link. No instructions ask for unrelated system files, passwords, or to exfiltrate secrets; SOUL.md explicitly forbids sharing tokens.
Install Mechanism
install.js downloads a release archive from GitHub Releases (https://github.com/sitemd-cc/sitemd/releases/download), extracts it, and writes a native binary (sitemd-bin) to disk. GitHub Releases is a standard host (lower risk than an arbitrary IP or pastebin). The installer extracts archives and may run the downloaded binary to scaffold a project and copy agent files into the project root, which is normal for a project scaffold but means native code will be written and executed on install — review/trust the upstream binary before running.
Credentials
Only one credential is declared (SITEMD_TOKEN) and its purpose (long-lived API key for automated deploys) is documented. The skill does not request unrelated credentials. Note: registry metadata showing "Required env vars: none" conflicts with primaryEnv; the SITEMD_TOKEN requirement is justified by the documented API-key flow.
Persistence & Privilege
always is false and the skill is user-invocable; the installer may write agent resource files and scaffold ./sitemd/ in the project root (controlled by INIT_CWD and guard-conditions in install.js). Writing its own agent files and scaffolding is expected for this type of plugin, but you should expect the installer to create files in your project directory.
Assessment
This skill appears internally consistent with a static-site builder: it downloads a native sitemd binary from the project's GitHub Releases, may scaffold files in your project root, and uses an API key (SITEMD_TOKEN) for automated deploys. Before installing, verify the upstream repository (https://github.com/sitemd-cc/sitemd and https://sitemd.cc) and that you trust their release binaries. Expect the installer to write files under ./sitemd/ or your project root and to execute the binary; if you want to be cautious, run the install in an isolated environment or inspect the downloaded binary/source first. Note the minor metadata inconsistency where the registry lists no required env vars but the skill declares SITEMD_TOKEN as primary — treat SITEMD_TOKEN as a secret and do not share it in messages. Confirm before allowing any automated deploys and ensure the agent obtains explicit owner confirmation prior to deploying production sites.
sitemd/install.js:57
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Primary envSITEMD_TOKEN
latestvk9722z6d5pq3efa791fwrdthjh8586z3
114downloads
0stars
3versions
Updated 1w ago
v0.1.3
MIT-0
Tyler Berggren@tyler-berggren
latest
Download

sitemd

Build websites from Markdown with MCP tools. Works as an OpenClaw skill or plugin — your agent can create, manage, and deploy websites through conversation.

First Steps

  1. If no binary (sitemd/sitemd does not exist) — run ./sitemd/install to download it
  2. Call sitemd_status to understand the project state
  3. If fresh project — read files in pages/, then create pages with sitemd_pages_create
  4. Call sitemd_site_context with a content type to get site identity, conventions, and existing pages
  5. Validate with sitemd_content_validate
  6. Deploy with sitemd_deploy

Authentication

sitemd uses email magic links. When your owner needs to log in:

  1. Call sitemd_auth_login — returns a browser URL
  2. Send the URL to your owner as a message (WhatsApp, Telegram, Discord, etc.)
  3. They tap the link and complete login in their browser
  4. Call sitemd_auth_poll every few seconds until it returns approved

For automated deploys, use sitemd_auth_api_key to create a long-lived key, then set SITEMD_TOKEN in your environment.

Project Structure

  • sitemd — Compiled binary (run ./sitemd/sitemd launch)
  • install — Bootstrap script (run ./sitemd/install to download binary)
  • pages/ — Markdown content files with YAML frontmatter
  • settings/ — Site configuration (YAML frontmatter in .md files)
  • theme/ — CSS and HTML templates
  • media/ — Images and assets
  • site/ — Built output

MCP Tools

ToolPurpose
sitemd_statusProject state overview
sitemd_pages_createCreate new pages (writes file + nav + groups)
sitemd_pages_create_batchCreate multiple pages in one call
sitemd_pages_deleteDelete a page (cleans up nav + groups)
sitemd_groups_add_pagesAdd pages to group sidebar
sitemd_site_contextSite identity, pages, conventions
sitemd_content_validateValidate content quality
sitemd_seo_auditSEO health check with scored report
sitemd_initInitialize project from template
sitemd_buildBuild without deploying
sitemd_deployBuild and deploy site
sitemd_activateActivate site (permanent)
sitemd_cloneClone an existing website
sitemd_config_setSet backend config (routes secrets vs non-secrets)
sitemd_auth_loginStart login flow
sitemd_auth_pollPoll for login completion
sitemd_auth_statusCheck auth state and license info
sitemd_auth_api_keyCreate API key for automation
sitemd_auth_setupEnable user authentication
sitemd_update_checkCheck for updates
sitemd_update_applyApply updates

Read pages, settings, and groups files directly — no MCP tool needed for reads.

Settings Files

All configuration is in settings/*.md frontmatter:

FileControls
meta.mdSite title, brand name, description, URL
header.mdNavigation items, brand display, search
footer.mdFooter links, copyright, social
groups.mdPage groups for sidebars and dropdowns
theme.mdColors, fonts, layout, light/dark/paper modes
build.mdDev server port, output directory
deploy.mdDomain, deploy target
seo.mdOG images, sitemaps, structured data

Content Types

sitemd supports structured content generation. Call sitemd_site_context with a type to get conventions and existing pages. The syntax reference is below.

  • page — General pages. Second person, present tense, lead with reader value.
  • docs — Documentation. Imperative mood, show what to type, code blocks, tables.
  • blog — Blog posts. Opinionated, date line, 400-1200 words.
  • changelog — Release notes. Terse, Added/Changed/Fixed/Removed sections.
  • roadmap — Product roadmap. Shipped/In Progress/Planned sections.

Markdown Extensions

Beyond standard markdown, sitemd supports rich components. The syntax reference is below.

  • button: Label: /slug — styled buttons. Modifiers: +outline, +big, +newtab, +color:red
  • card: Title / card-text: / card-image: / card-link: — responsive card grids
  • embed: URL — auto-detects YouTube, Vimeo, Spotify, X, CodePen, etc.
  • gallery: with indented ![alt](url) — image grid with lightbox
  • image-row: with indented ![alt](url) — equal-height image row
  • ![alt](url +width:N +circle +bw +expand) — image modifiers
  • [text]{tooltip content} — inline tooltips
  • modal: id with indented content, trigger via [link](#modal:id) — modal dialogs
  • {#custom-id} — inline anchors
  • [text](url+newtab) — link modifiers
  • form: with indented YAML — forms
  • gated: type1, type2 ... /gated — gated sections
  • data: source / data-display: cards|list|table — dynamic data

Comments

Loading comments...