Pluginv0.1.0

ClawScan security

sitemd plugin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 6, 2026, 3:32 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches its website-building purpose, but there are inconsistent metadata declarations about credentials and a packaged install script that downloads and extracts a binary — both of which merit caution before installing.
Guidance: This skill appears to do what it says (build and deploy sites), but take a few precautions: (1) Note the inconsistency — SKILL.md expects an SITEMD_TOKEN even though registry metadata claims no env is required; verify whether you'll need to supply a token and what permissions that token requires. (2) The included sitemd/install script will download and extract a binary from GitHub Releases and install it under sitemd/ — review the repository's releases and ideally verify checksums or signatures before running the installer. (3) If you enable automated deploys by setting SITEMD_TOKEN, limit its scope and treat it as a secret; do not paste tokens into chat messages. (4) If you have any doubt, prefer running the installer and the binary in an isolated/test environment first, or clone the upstream repo and inspect the release artifacts before trusting them.

Review Dimensions

Purpose & Capability: noteThe skill's name, description, and MCP tool list align with a markdown-based static-site builder. It legitimately needs a local sitemd binary and an optional SITEMD_TOKEN for automated deploys. However, registry metadata supplied with the skill (top-level Requirements summary) claims no primary credential while the skill's SKILL.md metadata sets primaryEnv: SITEMD_TOKEN — an inconsistency that could confuse permission prompts or automated installs.
Instruction Scope: okSKILL.md instructions stay within the declared domain: checking project state, reading and editing pages/ settings/, validating content, and running auth/deploy flows. It asks the agent to send an authentication URL to the owner (expected for magic-link login) and to avoid sharing tokens. There are no instructions to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism: noteAlthough the package is instruction-only, it includes an install script that downloads a platform binary from GitHub Releases and extracts it into the skill directory. Using GitHub releases is reasonable and preferable to arbitrary hosts, but the script will write and mark executable a binary on disk — a higher-risk operation than a pure-instructions skill and worth manual review (and preferably verifying release signatures/checksums) before running.
Credentials: concernThe SKILL.md declares primaryEnv: SITEMD_TOKEN (appropriate for hands-free deploys). The top-level skill metadata provided earlier, however, lists no required env vars or primary credential — this mismatch is concerning because it may hide that a secret-token environment variable is expected or used. Requesting a single API token is proportionate to the feature, but confirm token scope and how the skill stores/uses it before providing one.
Persistence & Privilege: okThe skill does not set always:true, does not request system-wide config changes in its instructions, and confines installation to its own sitemd/ directory. Autonomous invocation (disable-model-invocation:false) is the platform default and not by itself concerning.