Docs Feeder
PassAudited by ClawScan on May 10, 2026.
Overview
Docs Feeder does what it claims—fetches documentation and prints or saves it—but users should remember that fetched web content is untrusted agent context.
This skill appears safe for its stated purpose. Before installing, be aware that it fetches web documentation and feeds it to the agent, so use trusted project names or URLs and do not let text from fetched pages override your instructions or security rules.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or compromised documentation page could influence the agent if the agent treats fetched text as instructions.
The skill is designed to place fetched documentation into the agent's working context. Remote documentation can contain prompt-like text or misleading instructions, so it should be treated as reference material rather than trusted instructions.
dump the whole thing into context and let the AI cross-reference
Use trusted documentation sources and instruct the agent to treat fetched docs as untrusted reference content, not as commands or policy.
If invoked with an untrusted or mistaken URL, the agent can retrieve and load content from an unintended site.
The script allows direct HTTP/HTTPS URL input and then fetches documentation paths from that base URL. This is central to the skill's purpose, but it is broad outbound network behavior.
if (input.match(/^https?:\/\//)) { ... result = await fetchLlmsTxt(input);Invoke the skill with known documentation URLs or registry project names, and review the reported source before relying on the output.
Users have less provenance and setup information than ideal before running the helper scripts.
The package has limited provenance metadata and does not declare required binaries, even though SKILL.md uses Node.js and the included shell helper requires curl and jq. The full source is provided and behavior is coherent, so this is a review note rather than a concern.
Source: unknown; Homepage: none; Required binaries (all must exist): none; No install spec
Inspect the included scripts before use and run them in an environment where Node.js, and optionally curl/jq for the shell script, are intentionally available.