ClawHub

page-cro

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This CRO skill appears coherent and purpose-aligned, with only limited notes about reading local marketing context and optionally auditing a local file or URL.

This skill looks safe to use for CRO analysis. Before installing, be aware that it may use a local `.claude/product-marketing-context.md` file for context and its optional helper script can read a chosen HTML file or fetch a chosen URL.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI06: Memory and Context Poisoning
Low
What this means

Prior project context may shape the CRO recommendations the agent gives.

Why it was flagged

The skill uses a persistent local context file as input to its recommendations. This is relevant to marketing-page analysis, but stale or untrusted context could influence the agent's advice.

Skill content
If `.claude/product-marketing-context.md` exists, read it before asking questions.
Recommendation

Keep `.claude/product-marketing-context.md` accurate and avoid placing sensitive or untrusted instructions in it.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

If used, the script may access the local page file or external page URL the user provides.

Why it was flagged

The helper script can read a local HTML file or fetch a URL for audit. This is expected for a CRO page analyzer, but users should ensure inputs are intentional.

Skill content
Usage:
  python3 conversion_audit.py --file page.html
  python3 conversion_audit.py --url https://example.com
Recommendation

Run the helper only on pages or URLs you intend to analyze, and review output before acting on recommendations.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Users have limited external provenance information for the included helper script.

Why it was flagged

The skill includes a Python helper script but does not provide an external source or homepage for provenance. No suspicious behavior is shown in the supplied artifacts.

Skill content
Source: unknown
Homepage: none
Code file presence: scripts/conversion_audit.py
Recommendation

Review the included script before use if provenance matters for your environment.