Skills sitemapkit
📦

sitemapkit

Medium Risk 🌐 Network access🔑 Env variables

Discover Website Sitemaps

Website URL discovery is slow when sitemap locations are unknown. This skill uses SitemapKit to find sitemap files, extract URLs, and summarize crawl coverage.

Supports: Claude Codex Code(CC)
⚠️ 50 Poor
1

Download the skill ZIP

2

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

3

Toggle on and start using

Agent-readable resources

Use these links when an AI agent, crawler, or script needs clean context instead of reading the full page.

Test it

Using "sitemapkit". Find all sitemaps for stripe.com.

Expected outcome:

A concise list of discovered sitemap URLs, the discovery methods used, and remaining monthly quota when available.

Using "sitemapkit". Extract every URL from a product sitemap.

Expected outcome:

A readable URL list with optional last modified dates and a note if the result was truncated.

Using "sitemapkit". Run a full crawl for a website before migration.

Expected outcome:

A summary of sitemap counts, processed sitemap files, total URLs, truncation status, and representative URL sections.

Security Audit

Medium Risk
v2 • 6/27/2026

Static analysis reported command execution, weak crypto, filesystem, network, and credential patterns. Review found the command and weak-crypto alerts are false positives from Markdown backticks, TypeScript template strings, and documentation text, while network access and SITEMAPKIT_API_KEY usage are intentional for the SitemapKit API. The skill is publishable with a warning because user-supplied URLs and an API key are sent to a third-party service.

5
Files scanned
436
Lines analyzed
7
findings
2
Total audits
Medium Risk Issues (2)
Third-party API receives user URLs and API key
The MCP server reads SITEMAPKIT_API_KEY from the environment and sends it with user-provided sitemap or domain URLs to https://app.sitemapkit.com. This is expected for the service, but it exposes browsing targets and credentials to a third-party API and should be disclosed to users.
Remote crawling delegated to external service
Tool calls accept user-provided url values and forward them to the SitemapKit API for discovery or extraction. This can reveal target domains or sitemap URLs and can consume a user quota on the external service.
Low Risk Issues (3)
Documentation references hidden MCP configuration files
README.md mentions user configuration paths such as .cursor/mcp.json and ~/.codeium/windsurf/mcp_config.json. These are setup instructions, not code that reads or writes hidden files.
Static command-execution alerts are Markdown and string formatting false positives
The backtick detections in README.md and SKILL.md are inline code formatting, and the detections in src/index.ts are template literals used to format API responses and errors. No shell execution API or dynamic command invocation was found.
Weak-crypto alerts are false positives
The reported weak-cryptography locations do not show cryptographic code. They appear to match ordinary text such as Markdown, MCP, sitemap, or example strings.

Detected Patterns

Authenticated outbound fetch to fixed API endpoint
Audited by: codex View Audit History →

Quality Score

55
Architecture
100
Maintainability
87
Content
69
Community
49
Security
83
Spec Compliance

What You Can Build

SEO site inventory

Collect sitemap URLs and page counts before checking index coverage or migration readiness.

Competitive content mapping

Extract public sitemap URLs from a competitor domain to understand site sections and publishing scale.

Developer migration checks

Compare expected pages against sitemap output before or after a site launch.

Try These Prompts

Find sitemap files
Find all sitemap files for https://example.com and tell me where each sitemap was discovered.
Extract one sitemap
Extract the URLs from https://example.com/sitemap.xml and include last modified dates when available.
Audit site URL count
Run a full sitemap crawl for https://example.com with a limit of 5000 URLs. Summarize total URLs, processed sitemaps, and truncation status.
Compare launch coverage
Discover all sitemaps for https://example.com, group the returned URLs by site section, and flag sections with unexpectedly low page counts.

Best Practices

  • Confirm the target domain is public and appropriate to send to SitemapKit.
  • Start with sitemap discovery before running a full crawl on large sites.
  • Set max_urls deliberately to control result size and quota usage.

Avoid

  • Do not use it for private URLs or sensitive internal domains.
  • Do not assume a sitemap contains every live page on a site.
  • Do not request very high URL limits without checking quota and truncation status.

Frequently Asked Questions

Does this skill need an API key?
Yes. The MCP server requires SITEMAPKIT_API_KEY to authenticate with SitemapKit.
Does it send data outside my environment?
Yes. It sends the target domain or sitemap URL to the SitemapKit API.
Can it crawl pages without a sitemap?
It focuses on sitemap discovery and extraction. It is not a full browser crawler.
What happens when results are too large?
The response can be truncated. Increase max_urls if your plan and quota allow it.
Which assistants can use it?
The report lists support for Claude, Codex, and Claude Code through MCP-compatible setup.
Can it show remaining quota?
Yes. It reports remaining monthly requests when SitemapKit returns quota metadata.

Developer Details

Author

0nl1n1n

License

MIT

Ref

main

File structure

📁 src/

📄 index.ts

📄 package.json

📄 README.md

📄 SKILL.md

📄 tsconfig.json