Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Skill Seo
v0.1.0Optimize your ClawHub skill for maximum discoverability. Analyzes and rewrites SKILL.md description for vector search ranking, suggests keyword coverage, che...
⭐ 0· 507·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The SKILL.md content matches the advertised purpose (analyzing and rewriting SKILL.md for ClawHub discovery). However, the instructions repeatedly call out use of the 'clawhub' CLI and simple shell commands (head, bash snippets) while the skill metadata lists no required binaries—this is a minor mismatch: the skill implicitly expects the ClawHub CLI and basic shell utilities to be present.
Instruction Scope
Instructions stay within the SEO/description optimization scope (read SKILL.md, run searches/inspections, generate new description, publish). They do not instruct reading unrelated system files or exfiltrating data. They do include explicit tactics that encourage frequent version bumps and seeding installs to improve ranking (i.e., advice to 'install your own skill across your agents' and bump versions), which is manipulative behavior rather than a technical incoherence—flagged as an ethical/practice note.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no installer or external archive to fetch. That is the lowest technical risk for installation.
Credentials
The skill metadata declares no required env vars or primary credential, yet the runtime instructions include 'clawhub publish' and 'clawhub inspect' which normally require authentication (CLI credentials or API tokens). The omission of any declared credential requirement is an inconsistency: the skill will likely need ClawHub auth to perform publishing/inspecting but does not declare that. There's no request for unrelated secrets, but the missing declaration may cause the agent to prompt for credentials or attempt actions without clarifying expected auth.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always:false, no config path writes, no self-enabling behavior in metadata). It does instruct publishing and version-bumping, but that is expected for its stated purpose and does not modify other skills or agent configs.
Assessment
This skill is coherent with its stated purpose and is instruction-only (low technical risk). Before installing, note: (1) SKILL.md assumes the 'clawhub' CLI and basic shell tools — verify those are available and official; (2) publishing/inspection steps will require ClawHub authentication but the skill metadata doesn't declare required credentials — be prepared to provide CLI auth and avoid entering secrets into untrusted prompts; (3) the advice to repeatedly bump versions and 'seed' installs is a ranking-manipulation tactic (ethical/marketplace policy concern) — only follow it if it complies with ClawHub rules; and (4) test the workflow in a non-production environment and confirm you control the skill publishing rights before running 'clawhub publish.' If you want higher assurance, ask the publisher to declare required binaries and auth flows explicitly.Like a lobster shell, security has layers — review code before you run it.
latestvk9784n38eq7cd90w64k65an4jd81nwvg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.