ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

docsiphon Doc Corpus Operator

v1.0.0

Use when an agent needs to run Docsiphon through the CLI-first path, export a small documentation subtree, and inspect the resulting audit artifacts without...

0· 37·0 current·0 all-time
byYifeng[Terry] Yu@xiaojiou176
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the contents: the packet teaches CLI-first Docsiphon usage (uvx/uv), a scoped export, and inspection of local artifacts. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md and references instruct running uvx to fetch and run Docsiphon and to export/inspect site content. This stays within the stated scope, but the demo example includes a third-party target URL (developerdocs.instructure.com) and the flow entails crawling external sites and producing local artifacts — users should be aware that running the demo will retrieve remote site content.
Install Mechanism
There is no install spec (instruction-only), which is low risk. However, the recommended flow runs 'uvx --from git+https://.../docsiphon.git' which fetches and executes code from a GitHub repo at runtime; fetching/executing remote code is expected for a CLI-first package but carries the usual trust risk and should be done in an isolated environment or after code review.
Credentials
The packet declares no environment variables, credentials, or config paths. The lack of secrets is proportionate to the described function.
Persistence & Privilege
Flags are default (not always), no persistent installation mechanism or cross-skill/system config modification is requested. Autonomous invocation is allowed by default but is not combined here with elevated privileges or credential access.
Assessment
This packet is internally consistent and simply documents how to run Docsiphon via the uv/uvx CLI and inspect local export artifacts. Before running the demo: (1) review the remote GitHub repo you will execute with uvx (it will fetch and run code), (2) run the export in an isolated/sandboxed environment if you are unsure about the repo, and (3) avoid pointing the tool at private or sensitive sites unless you intend to export that content and have authorization to do so.

Like a lobster shell, security has layers — review code before you run it.

ai-agentsvk97c43yv77asy1kms8gxjhy5x984m3vfclivk97c43yv77asy1kms8gxjhy5x984m3vfcorpusvk97c43yv77asy1kms8gxjhy5x984m3vfdocsvk97c43yv77asy1kms8gxjhy5x984m3vflatestvk97c43yv77asy1kms8gxjhy5x984m3vflocal-firstvk97c43yv77asy1kms8gxjhy5x984m3vf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments