VVVLINK Site Builder
v1.8.1Build and publish websites on vvvlink.com. Creates HTML sites, uploads to VVVLink API, publishes with unique subdomain URLs. Triggers on: "create a site", "b...
⭐ 0· 106·0 current·0 all-time
by@vladlat
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the behavior in SKILL.md and references: the skill builds static HTML, stores site files under ~/.vvvlink/sites/, obtains/stores an API key, and calls publish.vvvlink.com endpoints to create/upload/publish sites. There are no extra credentials, binaries, or unrelated installation steps requested.
Instruction Scope
Runtime instructions only interact with the vvvlink API and the local ~/.vvvlink/ directory (config.json and generated site files). The SKILL.md explicitly instructs how to obtain and store the API key, how to search for images via the image proxy, and the exact API calls to make. There is no instruction to read unrelated system files, environment variables, or other skill configurations.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to run locally. That minimizes disk-written code and reduces install risk. No external download URLs or package installs are requested.
Credentials
The skill requests no environment variables and its only credential is an API key created/stored in ~/.vvvlink/config.json. That API key is appropriate for the described API calls and is declared as secret in the docs. There are no unrelated secrets or credentials requested.
Persistence & Privilege
The skill persists an account config and generated site files to ~/.vvvlink/. This is expected for a site-builder but is a lasting change on the user's filesystem. always:false (not force-included) and the skill does not request system-wide privileges or modify other skills.
Assessment
This skill appears to do what it says: it will create a local folder (~/.vvvlink/) for config and generated sites and call publish.vvvlink.com to create/upload/publish sites. Before installing or using it, consider: 1) Trust: the skill will upload content to a third-party service (publish.vvvlink.com) — ensure you trust that service and understand its privacy/retention policies. 2) Local files: it will write ~/.vvvlink/config.json containing your API key (stored with chmod 600 per docs) and site files — back up anything you care about and inspect that directory if desired. 3) API key handling: the skill instructs never to show the apiKey; it is stored in plaintext JSON (file-permissions only). If you require encrypted storage, do not use it or rotate keys after use. 4) Image sourcing: the skill uses an image proxy that returns Unsplash URLs and explicitly instructs not to add photographer credits — this is a policy/attribution concern (not a direct security issue) but may have licensing implications. 5) Auditability: because this is instruction-only, behavior is entirely driven by the SKILL.md; if you want more assurance, test with non-sensitive content or monitor network requests to confirm only the documented endpoints are contacted. If any of these points are unacceptable, do not enable the skill or consult the service owner for more guarantees.Like a lobster shell, security has layers — review code before you run it.
latestvk973w0hcqyptypw286m6509cgd834jar
License
MIT-0
Free to use, modify, and redistribute. No attribution required.