Back to skill
Skillv0.1.0
ClawScan security
GEO Content Guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 15, 2026, 5:20 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill mostly matches its stated purpose (scanning web/content for GEO/SEO signals) but contains undeclared external-AI integration and documentation mismatches that could result in unintended content exfiltration if enabled.
- Guidance
- This skill appears to do what it says (scan web content for GEO/SEO signals) but has two important issues you should consider before installing or enabling it: 1) Optional AI review can send content (URL, excerpt, and static analysis) to an external service (zenmux.ai) when ZENMUX_API_KEY (and related ZENMUX_* / GEO_GUARD_* env vars) are set. Those env vars are not declared in the skill metadata or SKILL.md. Do not set an API key unless you are comfortable with the skill transmitting excerpts (and possibly snippets of local files) to that external service. If you need the AI review capability, review the ai_review implementation and confirm the exact payload and destination. 2) The SKILL.md report path (hardcoded /root/clawd/...) does not match the policy's {workspace}/output/... and the code's workspace resolution. Expect the reports to live under the agent workspace, not necessarily /root. Verify write locations if that matters for your environment. Recommendations: - If you will run scan-file on local files, do not enable --with-ai or set ZENMUX_API_KEY unless you explicitly want those files sent externally. - Ask the publisher to update SKILL.md and metadata to declare the optional env vars and to document what the AI review sends and to which host. - Audit the remainder of lib/audit.py (functions truncated in the provided files: combine_results, build_report, write_report) to confirm they don't call other external endpoints or leak credentials. - Consider running the skill in a restricted environment (no ZENMUX_API_KEY, network egress blocked or monitored) while you review behavior. Confidence is medium because the code is mostly visible and coherent for its stated purpose, but the undeclared external-AI integration and documentation mismatches raise non-trivial risks that need explicit user consent.
Review Dimensions
- Purpose & Capability
- noteThe code and commands align with the description: python3 scripts fetch URLs, load files, analyze text for brand/CTA/promo patterns, and emit PASS/WARN/BLOCK. Requiring only python3 is proportionate. One minor oddity: default policy brand_terms includes 'openclaw' (self-referential), which is plausible but worth noting.
- Instruction Scope
- concernInstructions let the agent fetch arbitrary URLs and read arbitrary local files (scan-file). The SKILL.md states JSON reports are written to /root/clawd/output/..., but the shipped policy and code resolve reports to a {workspace}/output/... path — documentation and code mismatch. More importantly, the optional --with-ai mode triggers an AI review that (per code) transmits an excerpt + static analysis to an external service (zenmux.ai) when ZENMUX_API_KEY is set; SKILL.md does not document the env vars or that content will be sent externally. Allowing local-file scans combined with AI review can cause local data to be transmitted off-host.
- Install Mechanism
- okNo install spec; this is an instruction-only skill distributed with Python scripts and a JSON policy. That has a low install risk surface (no external downloads during install).
- Credentials
- concernThe skill declares no required env vars, but the code reads several environment variables for optional AI review (e.g., ZENMUX_API_KEY, ZENMUX_ANTHROPIC_BASE_URL, GEO_GUARD_MODEL, ZENMUX_ANTHROPIC_MODEL, GEO_GUARD_AI_MAX_CHARS). ZENMUX_API_KEY unlocks sending content+metadata to an external API. These env vars are not documented in SKILL.md or metadata, which is an incoherence and a potential exfiltration vector if the user enables AI review without realizing what's transmitted.
- Persistence & Privilege
- okThe skill is not always-included and does not request elevated privileges. It writes reports to a workspace path and modifies only its own report output; autonomous invocation is allowed (default) but not combined with 'always: true'. No evidence of altering other skills or system-wide settings.