Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Meta Tags Optimizer
v8.0.0Optimize title tags, meta descriptions, Open Graph, Twitter cards for maximum CTR with A/B variations. 标题优化/元描述/CTR
⭐ 4· 1.9k·4 current·4 all-time
byAaron Zhu@aaron-he-zhu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (create/optimize title tags, meta descriptions, OG/Twitter cards, A/B variations) matches the instructions and reference assets. However, the SKILL.md explicitly describes automatic pulling of Search Console and third‑party SEO tool data (CTR by query, impressions, competitor patterns) and references optional 'MCP network access for SEO tool integrations' without declaring any required connectors, environment variables, or configuration paths. Automated metric collection normally requires explicit connectors/credentials (e.g., Google Search Console, Google Analytics, Ahrefs/SEMrush APIs); that capability is claimed but not justified by requested permissions.
Instruction Scope
The runtime instructions and references stay within SEO/meta-tag tasks (templates, CTR heuristics, A/B methodology). They refer to reading internal brief/state files (CLAUDE.md, state model) which is coherent for a build-layer skill. The only scope creep is the open-ended wording about automatic data pulls and 'use whenever a shippable asset is needed' which could lead to frequent activation; instructions do not direct reading of unrelated system files or secrets in the provided content.
Install Mechanism
No install spec and no code files (instruction-only). This reduces risk — nothing is downloaded or written to disk by an installer in the package itself.
Credentials
The skill declares no required environment variables or primary credential, yet describes behavior that typically requires credentials (Search Console, analytics, or third-party SEO tool APIs). This mismatch could mean: (a) the skill expects the host agent to already provide connectors without documenting them, or (b) the author assumed optional connectors but failed to declare them. Either way, the lack of declared credential requirements is disproportionate to the claimed automatic integration capabilities.
Persistence & Privilege
always is false (not force-included). The contract says outputs can be written to memory/content/ and related memory files — that is expected for a build/handoff skill and is limited in scope. The skill does not request system-wide config changes or privileged permanent presence.
What to consider before installing
Before installing or enabling this skill: 1) Ask the author or review CONNECTORS.md to confirm how (and where) it connects to Search Console, Analytics, or SEO tools and which credentials it needs — the SKILL.md promises automatic metric pulls but the package declares no credentials. 2) Never paste API keys or service tokens into free-text chat; instead configure connectors in the platform's secure connector/credential storage. 3) If you plan to allow automatic integrations, verify where the skill will store outputs (it references memory/content/) and ensure that the agent's memory/access controls meet your data-handling policies. 4) Test the skill first with non-sensitive sample pages/content to confirm behavior and to watch for unexpected network activity. 5) If you need stronger assurance, request the author to explicitly declare required env vars, connector names, and a minimal privacy/security summary.Like a lobster shell, security has layers — review code before you run it.
ctrvk974f1jcrnh6896pkv8ne8z6sh84bdm8latestvk975xr8xawme0zcr99s8edj70n84t6mameta-tagsvk974f1jcrnh6896pkv8ne8z6sh84bdm8seovk974f1jcrnh6896pkv8ne8z6sh84bdm8title-optimizationvk974f1jcrnh6896pkv8ne8z6sh84bdm8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.