clawpage-skill Security Report — Trusted | ClawSafe

5 /100

clawpage-skill

Router skill for Clawpage page creation, publishing, and template management workflows

Legitimate page publishing framework with no malicious behavior, obfuscation, or undeclared capabilities. All functionality is properly documented in SKILL.md files.

Skill Nameclawpage-skill

Duration37.3s

Enginepi

✓

Safe to install

This skill is safe to use. Standard security hygiene: keep keys.local.json local, use version-pinned Node.js, and verify api.clawpage.ai domain legitimacy.

Findings 1 items

Severity	Finding	Location
Low	CDN-hosted TailwindCSS dependency Supply Chain Templates load TailwindCSS from cdn.tailwindcss.com. This is standard practice but introduces an external dependency. No sensitive data is transmitted. `<script src="https://cdn.tailwindcss.com">` → Consider self-hosting TailwindCSS for stricter supply chain control if required.	`templates/*/index.html:7`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares node binary requirement; scripts use 'node ./scripts/*.mjs'
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Writes to .pages/, templates/, keys.local.json - all scoped and documented
Network	`READ`	`READ`	✓ Aligned	Only accesses api.clawpage.ai for registration and page CRUD operations
Environment	`NONE`	`NONE`	—	No environment variable access beyond API_HOST default
Browser	`NONE`	`NONE`	—	Templates render static HTML; no browser automation

12 findings

🔗

Medium External URL 外部 URL

https://api.clawpage.ai/api/register

AGENTS.md:22

🔗

Medium External URL 外部 URL

https://api.clawpage.ai

SKILL.md:66

🔗

Medium External URL 外部 URL

https://api.clawpage.ai/api/pages

references/api-quickref.md:66

🔗

Medium External URL 外部 URL

https://u-builder01.clawpage.ai/pages/claw_xxx

references/api-quickref.md:80

🔗

Medium External URL 外部 URL

https://u-builder01.clawpage.ai/pages/claw_xxx?pagecode=123456

references/api-quickref.md:84

🔗

Medium External URL 外部 URL

https://api.clawpage.ai/api/pages?page=1&limit=20

references/api-quickref.md:112

🔗

Medium External URL 外部 URL

https://api.clawpage.ai/api/pages/

references/api-quickref.md:121

🔗

Medium External URL 外部 URL

https://u-builder01.clawpage.ai/__auth

references/api-quickref.md:175

🔗

Medium External URL 外部 URL

https://api.clawpage.ai/healthz

references/api-quickref.md:183

🔗

Medium External URL 外部 URL

https://api.clawpage.ai/api/pages?page=1&limit=50

skills/create-management-page/SKILL.md:55

🔗

Medium External URL 外部 URL

https://cdn.tailwindcss.com

templates/concept-animation-lab/index.html:7

🔗

Medium External URL 外部 URL

https://clawpage.ai

templates/concept-animation-lab/index.html:34

File Tree

38 files · 114.6 KB · 3488 lines

Markdown 17f · 1252L CSS 6f · 1082L JavaScript 8f · 827L HTML 6f · 321L JSON 1f · 6L

├─ ▾ 📁 references

│ ├─ 📝 api-quickref.md Markdown 197L · 5.3 KB

│ ├─ 📝 design-guidelines.md Markdown 154L · 6.6 KB

│ └─ 📝 prompt-contracts.md Markdown 78L · 5.2 KB

├─ ▾ 📁 scripts

│ ├─ 📜 clawpages_init.mjs JavaScript 145L · 4.2 KB

│ └─ 📜 clawpages_publish.mjs JavaScript 395L · 12.9 KB

├─ ▾ 📁 skills

│ ├─ ▾ 📁 create-management-page

│ │ └─ 📝 SKILL.md Markdown 121L · 5.5 KB

│ ├─ ▾ 📁 create-page

│ │ └─ 📝 SKILL.md Markdown 151L · 9.9 KB

│ ├─ ▾ 📁 create-template

│ │ └─ 📝 SKILL.md Markdown 55L · 1.8 KB

│ ├─ ▾ 📁 init

│ │ └─ 📝 SKILL.md Markdown 32L · 1022 B

│ ├─ ▾ 📁 update-page

│ │ └─ 📝 SKILL.md Markdown 136L · 7.9 KB

│ └─ ▾ 📁 update-template

│ └─ 📝 SKILL.md Markdown 54L · 1.8 KB

├─ ▾ 📁 templates

│ ├─ ▾ 📁 concept-animation-lab

│ │ ├─ 📄 default.css CSS 180L · 3.7 KB

│ │ ├─ 📜 default.js JavaScript 45L · 1.5 KB

│ │ ├─ 📄 index.html HTML 51L · 1.7 KB

│ │ └─ 📝 meta.md Markdown 13L · 434 B

│ ├─ ▾ 📁 general_template

│ │ ├─ 📄 default.css CSS 287L · 4.9 KB

│ │ ├─ 📜 default.js JavaScript 47L · 1.4 KB

│ │ ├─ 📄 index.html HTML 69L · 2.6 KB

│ │ └─ 📝 meta.md Markdown 88L · 2.8 KB

│ ├─ ▾ 📁 insight-collection-hub

│ │ ├─ 📄 default.css CSS 160L · 3.4 KB

│ │ ├─ 📜 default.js JavaScript 48L · 1.7 KB

│ │ ├─ 📄 index.html HTML 50L · 1.6 KB

│ │ └─ 📝 meta.md Markdown 13L · 423 B

│ ├─ ▾ 📁 mini-game-arcade

│ │ ├─ 📄 default.css CSS 143L · 3.1 KB

│ │ ├─ 📜 default.js JavaScript 60L · 1.2 KB

│ │ ├─ 📄 index.html HTML 50L · 1.6 KB

│ │ └─ 📝 meta.md Markdown 13L · 395 B

│ ├─ ▾ 📁 stock-analysis-terminal

│ │ ├─ 📄 default.css CSS 139L · 3.0 KB

│ │ ├─ 📜 default.js JavaScript 51L · 1.8 KB

│ │ ├─ 📄 index.html HTML 51L · 1.7 KB

│ │ └─ 📝 meta.md Markdown 13L · 447 B

│ └─ ▾ 📁 utility-workbench

│ ├─ 📄 default.css CSS 173L · 3.7 KB

│ ├─ 📜 default.js JavaScript 36L · 1.2 KB

│ ├─ 📄 index.html HTML 50L · 1.6 KB

│ └─ 📝 meta.md Markdown 13L · 434 B

├─ 📝 AGENTS.md Markdown 47L · 2.7 KB

├─ 📋 keys.local.example.json JSON 6L · 95 B

└─ 📝 SKILL.md Markdown 74L · 3.2 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`node`	`any`	system	No	Runtime dependency declared in SKILL.md install.binaries
`tailwindcss`	`latest (CDN)`	cdn.tailwindcss.com	No	CDN-hosted; not pinned to specific version

Security Positives

✓ No obfuscation or encoded payloads found

✓ No credential harvesting beyond local key management

✓ No remote code execution patterns (curl|bash, wget|sh)

✓ No sensitive path access (~/.ssh, ~/.aws, .env)

✓ No C2 communication or data exfiltration

✓ No reverse shell capabilities

✓ All shell commands are explicitly declared (node script execution)

✓ Network calls scoped to legitimate API endpoint (api.clawpage.ai)

✓ Token management follows security best practices (local file, gitignored)

✓ Documentation accurately reflects implementation

✓ No hidden instructions in HTML comments

Scan Report

Findings 1 items

File Tree

Dependencies 2 items

Security Positives