Back to skill
Skillv1.0.0
ClawScan security
site-architecture · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 3:24 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions are consistent with a site-architecture/SEO audit utility: it contains reference docs and a small sitemap analyzer script and requests no credentials or installs, but it will read local context files (if present) and can fetch a user-provided sitemap URL — so be mindful of what you hand it.
- Guidance
- This skill appears to do what it says: audit and plan site architecture using included guidance and a local Python sitemap analyzer. Before installing or invoking it, consider: (1) the analyzer can fetch any sitemap URL you provide — avoid giving internal-only or sensitive endpoints (SSRF/internal network exposure risk); (2) SKILL.md says to read marketing-context.md if present — don't keep secrets in that file if you want to limit what the skill can read; (3) if you have strict network or file-access policies, review the small scripts/sitemap_analyzer.py to confirm its behaviour (it uses urllib.request and printing only). If those concerns are acceptable, the skill is coherent and proportionate for its purpose.
Review Dimensions
- Purpose & Capability
- okName/description (site architecture, URL hierarchy, internal linking) align with included artifacts: SKILL.md, two reference guides, and a sitemap_analyzer.py script. No unrelated environment variables, binaries, or install steps are requested.
- Instruction Scope
- noteSKILL.md instructs the agent to read a local 'marketing-context.md' file if present and to run scripts/sitemap_analyzer.py on the user's sitemap (or fetch a sitemap URL). Reading a local context file and fetching a sitemap are reasonable for this purpose, but they do expand the agent's access to local files and external network resources — the agent will read user-supplied local files and may make HTTP requests to user-provided URLs.
- Install Mechanism
- okNo install spec and only a small stdlib Python script are included. No downloads from external hosts or package installs; low installation risk.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. This is proportionate to the stated purpose.
- Persistence & Privilege
- okalways:false and no requests to modify other skills or system config. Normal autonomous invocation is allowed by default but not escalated by the skill.