Back to skill
Skillv1.0.0
ClawScan security
programmatic-seo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 3:24 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions match its stated purpose (programmatic SEO) and request no unrelated credentials or installs.
- Guidance
- This skill appears coherent and limited in scope. Things to consider before installing: (1) SKILL.md instructs the agent to read .claude/product-marketing-context.md if present — ensure that file doesn't contain sensitive secrets you don't want shared with the agent. (2) The included Python script can read a user-supplied JSON config path; only provide non-sensitive example data. (3) The skill references additional docs (references/playbooks.md) that aren't bundled; expect some guidance links to be missing. No network/exfiltration behavior or credential requests were found.
Review Dimensions
- Purpose & Capability
- okThe name/description (programmatic SEO) align with the included assets: an SEO-focused SKILL.md and a small URL-pattern generator script. There are no unexplained environment variables, binaries, or install steps.
- Instruction Scope
- okSKILL.md stays on-topic: it defines playbooks, checklists, and asks the agent to read a local product context file (.claude/product-marketing-context.md) if present. Reading that workspace file is reasonable for personalization; SKILL.md references an auxiliary file (references/playbooks.md) that is not included but this is an availability/authoring issue rather than a security inconsistency.
- Install Mechanism
- okNo install spec is provided (instruction-only) and the single Python script is small, local, and has no network or extraction/install behavior. No downloads or package installs are requested.
- Credentials
- okThe skill requests no environment variables or credentials. The only file access described is to a local product-marketing-context file and optionally a user-supplied JSON config for URL generation — both are proportional to the task.
- Persistence & Privilege
- okalways is false and the skill does not request any persistent system-level privileges or modify other skills. Model invocation is allowed (default) which is expected for skills.