Is clawddocs safe?

The skill includes 7 bash scripts and instructs the agent to execute them. While all are currently stubs that only echo messages, they establish a pattern where the agent will run local shell scripts. If a future version replaces these with functional scripts containing network access or file manipulation, the agent would execute them based on the SKILL.md instructions.

SKILL.md assigns the agent a specific persona ('You are an expert on Clawdbot documentation') and defines a workflow that the agent should follow when users ask about Clawdbot. This is standard skill behavior but does modify agent behavior.

The skill instructs the agent to 'Fetch the doc: ./scripts/fetch-doc.sh or use browser' and references docs.clawd.bot URLs. While the script currently only echoes URLs, the 'or use browser' instruction could cause the agent to navigate to external URLs, which is a mild prompt injection vector for content injection via fetched pages.

The build-index.sh script has a 'fetch' subcommand described as 'Download all docs'. Currently a stub, but indicates intent to download content from the internet in a future version.

The common-configs.md file contains template patterns like ${DISCORD_TOKEN} and ${TELEGRAM_TOKEN}. These are documentation examples showing users how to configure their bots, not exfiltration attempts. However, if an agent were to interpret these literally and substitute actual environment variables, it could inadvertently expose tokens in conversation.

The skill establishes agent trust in running local scripts. If the skill registry allows updates, a malicious update could replace stub scripts with harmful ones that the agent would execute based on existing SKILL.md instructions.