Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SEO Content Quality Auditor — CORE-EEAT Gate
v7.2.0SEO content quality auditor: 80-item CORE-EEAT publish-readiness audit with weighted scoring, veto checks, and prioritized fix plan for search rankings. Part...
⭐ 1· 2.3k·11 current·12 all-time
byAaron Zhu@aaron-he-zhu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and instructions align: an 80-item CORE-EEAT audit that reads content (URL or pasted text) and produces a report and prioritized fixes. No unexpected binaries, credentials, or third-party installs are requested — that fits the stated purpose.
Instruction Scope
The SKILL.md instructs the agent to read target content and also to consult prior decisions in CLAUDE.md and a shared State Model when available. It further directs the agent to 'Promote' veto items and top priorities into memory files (memory/hot-cache.md and memory/open-loops.md) and to auto-trigger as a PostToolUse hook. Those reads/writes to shared agent memory and automatic triggering are broader than a simple, one-off audit and could surprise users — especially because the skill explicitly says it will auto-save without user confirmation.
Install Mechanism
Instruction-only skill with no install spec and no code files; lowest install risk. It lists allowed-tools: WebFetch and optional network access for integrations (not enabled by default). No downloads or third-party package installs are requested.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportional to an instruction-only auditing skill. It does mention optional SEO tool integrations (which would require credentials) but those are not required by the skill as published.
Persistence & Privilege
Although always:false and no special install privileges are requested, the skill explicitly directs the agent to write audit results and veto items into named memory files and to auto-save them without user confirmation. Persistently writing to shared agent memory and auto-triggering via PostToolUse are meaningful privileges and should be disclosed to users and controllable by policy/config.
Scan Findings in Context
[no-code-files] expected: The regex scanner found no code files because this is an instruction-only skill. That's expected for a prose-based audit skill; however, instruction-only skills rely entirely on SKILL.md behavior, so the instructions are the primary security surface.
What to consider before installing
This skill appears to perform the advertised SEO/EEAT audit, but pay attention to two runtime behaviors before installing or enabling it: (1) it may auto-trigger after other writing tools complete (PostToolUse hook) and skip interactive setup, and (2) it will write audit verdicts and flagged 'veto' items into shared agent memory (memory/hot-cache.md and memory/open-loops.md) without asking the user. If you store sensitive or proprietary drafts in the agent, consider disabling auto-trigger hooks or restricting the skill's permission to write to memory. Also: if you enable optional external SEO integrations, ensure you only provide credentials to trusted services and review where network access goes. If you want a safer setup, ask the publisher to remove unconditional auto-save behaviors or to require explicit user confirmation before writing to shared memory.Like a lobster shell, security has layers — review code before you run it.
content-auditvk9701wb8wr9gc5crbvk86r1grd84b779content-qualityvk9701wb8wr9gc5crbvk86r1grd84b779eeatvk9701wb8wr9gc5crbvk86r1grd84b779latestvk9701wb8wr9gc5crbvk86r1grd84b779seovk9701wb8wr9gc5crbvk86r1grd84b779seo-auditvk9701wb8wr9gc5crbvk86r1grd84b779
License
MIT-0
Free to use, modify, and redistribute. No attribution required.