ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Beta SEO Analyzer

v1.0.0

Analyzes websites for SEO opportunities. Generates keyword ideas, checks on-page SEO factors, and provides actionable optimization recommendations.

0· 41·0 current·0 all-time
by@1477009639zw-blip
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md advertises many features (keyword density, link analysis, page-speed/resource analysis, Open Graph tag checks, internal vs external link counts, benchmarks) but the shipped seo.py only fetches a page and returns title, meta description (first 100 chars), H1 count, word count, and a simple 'viewport' substring check. Usage examples in SKILL.md show a --depth flag, but seo.py does not accept that flag. The required binary (python3) is reasonable for the stated purpose, but the feature claims are disproportionate to the actual implementation.
Instruction Scope
Runtime instructions are limited to running the included Python script and do not request secrets or local file reads. However, the SKILL.md examples and feature list overstate capabilities (see above). Also, the script fetches arbitrary URLs using urllib.request — this means if the agent runs the skill it can make HTTP requests to any address reachable from the host, including internal IPs and metadata endpoints; that operational risk (SSRF/exposing internal content) should be considered even though the skill does not itself exfiltrate to external services.
Install Mechanism
There is no install spec; the skill is instruction-only with a small Python script. No third-party packages or downloads are performed. This is the lowest-risk install pattern.
Credentials
The skill only requires python3 and declares no environment variables or credentials. That request is proportionate to the implemented functionality.
Persistence & Privilege
always is false, and the skill does not request persistent/system-wide changes or access to other skills' configs. It appears to run only when invoked.
What to consider before installing
This skill is inconsistent: its documentation promises many SEO checks that the included script does not perform, and the example commands include flags the script doesn't support. If you need the advertised features, ask the publisher for the real implementation or the full source. If you still want to run it: 1) run the script in an isolated environment (sandbox/container) to avoid unintended requests to internal services; 2) do not point it at sensitive internal or cloud metadata endpoints because it will fetch any URL the host can reach; 3) verify the code matches the README before trusting output or granting broader access; and 4) prefer skills with a known homepage or maintainer and clearer provenance for production use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97faxm3h2w9fhm7edarxcw83d83rcqhmarketingvk97faxm3h2w9fhm7edarxcw83d83rcqhseovk97faxm3h2w9fhm7edarxcw83d83rcqh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binspython3

Comments