ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Akkualle SEO Audit

v1.0.0

Automatisches tägliches SEO-Monitoring und Content-Optimierung mit Keyword-Ranking, Meta-Description Checks und Thin-Content-Erkennung für akku-alle.de.

0· 56·0 current·0 all-time
by@akkualle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose is daily SEO monitoring and automated fixes for akku-alle.de, which plausibly requires an API. However, the SKILL.md and code expose a hardcoded admin secret and call high-privilege actions (e.g., blog.update). The manifest declares no credentials, yet the skill needs a v9 admin secret — that mismatch is unexplained and disproportionate.
!
Instruction Scope
SKILL.md instructs posting a plaintext secret to https://akku-alle.de/api/admin and scheduling cron jobs that run scripts. The README references fix_meta.py and expand_content.py that are not present in the bundle. The runtime code imports a skill_memory helper from /root/.openclaw/workspace/tools (outside the skill dir) to obtain secrets and log actions, introducing implicit external dependencies and access to agent memory that are not documented in the manifest.
Install Mechanism
There is no install spec (instruction-only), which minimizes installer risk. However, the package includes executable code (seo_audit.py) that will run network requests; there is no build/install step but the script expects external modules and a specific filesystem layout (/root/.openclaw/...), which may fail or hide behavior depending on runtime environment.
!
Credentials
The manifest declares no required credentials, yet the SKILL.md contains a clear-text admin secret and the code will use get_secret('v9') or fall back to that hardcoded secret. The skill therefore requires high-privilege credentials (admin API) while asking for none transparently. Accessing the agent's memory path (/root/.openclaw/workspace/tools) also broadens its access surface.
Persistence & Privilege
The skill is not marked always:true and does not claim to modify other skills or global config. It does, however, call log_action into skill memory and can be invoked autonomously (platform default). Autonomous invocation combined with admin API access increases blast radius, but autonomous invocation itself is the default and not alone a reason to block.
What to consider before installing
This skill contains a hardcoded admin secret and will POST administrative actions (including blog.update) to akku-alle.de. Before installing: (1) Do not trust the provided secret — verify ownership of the target site and the authenticity of the skill author. (2) Confirm why no credentials are declared in the manifest while a v9 admin key is required. (3) Request the missing scripts (fix_meta.py, expand_content.py) and inspect them. (4) Inspect the skill_memory implementation at /root/.openclaw/workspace/tools to see what get_secret and log_action do (they can leak or store secrets). (5) Prefer running this in an isolated/test environment, and remove or rotate any hardcoded secret. If you don't control akku-alle.de or cannot verify the author, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b715bbnjza0yswd3043z4rn83njgn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments