ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Backlink Analyzer

v1.0.0

Backlink-Analyse für Off-Page SEO. Identifiziere toxic links, entdecke Link-Building Opportunities und analysiere Competitor-Backlinks.

0· 47·0 current·0 all-time
by@akkualle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a command-line tool (examples: `backlink-analyzer analyze ...`) and commercial functionality (price, license), but the skill bundle contains no binary, no install spec, no API endpoints, and no required credentials. It's unclear whether this is documentation for a separate product, a wrapper that expects a preinstalled binary, or a missing payload.
Instruction Scope
The instructions themselves stay within backlink-analysis scope (audits, toxic link detection, outreach templates, disavow guidance) and do not ask for unrelated system data or secrets. However, they instruct running a CLI that the package does not provide, which grants the agent ambiguous authority to attempt to run external commands or assume the binary exists.
!
Install Mechanism
There is no install spec at all even though the documentation implies a discrete tool. For a commercial CLI the absence of an install or download source (GitHub release, package name, or container) is unexpected and incoherent. This increases the risk of either a broken skill or one that expects the agent to fetch code from an unspecified place.
Credentials
The skill declares no environment variables, no credentials, and no config paths; the instructions do not attempt to read hidden env vars. Requested access is therefore proportionate to the described backlink analysis tasks.
Persistence & Privilege
The skill is user-invocable, not always-included, and does not request persistent privileges. Autonomous model invocation is allowed (platform default) but there is no additional privileged presence requested by the skill.
What to consider before installing
Do not install or run this skill as-is. Key issues to resolve before you proceed: (1) provenance — there is no author homepage or source and owner/version info inside _meta.json conflicts with the registry metadata (mismatched ownerId and version), so verify who published this and whether the package is authentic; (2) missing binary/install — the SKILL.md shows CLI usage but the bundle contains no executable or install instructions; ask the publisher for an explicit install method (official release URL, package name, or container) and verify the URL is a trusted release host; (3) commercial/licensing questions — SKILL.md lists a price and commercial license but there is no purchase or license enforcement mechanism described; confirm payment/usage terms before sending money or sensitive info; (4) if you expect the tool to run on your machine, only use binaries from the vendor's verified site and run them in a sandbox or VM first; (5) if you want to use only the included documentation (rubric and outreach templates), that content appears normal for SEO outreach but be careful with outreach templates to avoid spam or privacy law issues. If the publisher can supply a clear install spec (trusted release URL or package name), matching metadata, and a maintainer contact, re-evaluate; otherwise treat this as documentation-only and do not grant it access to run or fetch code automatically.

Like a lobster shell, security has layers — review code before you run it.

latestvk9761z1czt03mqwzfh71ejmxmd83r78p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments