ClawHub

canonry

v1.1.1

Open-source AEO monitoring CLI. Track how AI answer engines cite your domain across ChatGPT, Gemini, Claude, and Perplexity.

1· 95·0 current·0 all-time
byArber X@arberx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (AEO monitoring CLI) align with the instructions: commands reference provider APIs (Gemini/OpenAI/Claude/Perplexity), Google/Bing indexing, CDP browser scraping, scheduling, and webhooks — all expected for a citation-monitoring tool.
Instruction Scope
SKILL.md instructs use of the canonry CLI and covers init/start/run, provider keys, Google OAuth, Bing API, IndexNow, CDP (Chrome remote debugging), and adding webhooks/telemetry. These are within the tool's scope, but features that send data externally (notify webhooks) or require running Chrome with --remote-debugging-port deserve explicit user attention before use.
Install Mechanism
The skill is instruction-only (no install spec). The Quick Start points to installing an npm package (@ainyc/canonry) and a GitHub repo — this is reasonable for a CLI. Because the skill does not itself download code, there is no hidden install mechanism in the skill bundle.
Credentials
The operations described legitimately need provider API keys, Google Search Console OAuth and Bing API keys, and optionally IndexNow key and a running Chrome instance for CDP. The skill does not request unrelated credentials or config paths in its metadata.
Persistence & Privilege
always:false and default invocation settings are used. The skill does not request permanent platform privileges or modifications to other skills. Scheduling, telemetry, and webhook features are normal for a monitoring tool but should be configured consciously by the user.
Assessment
This skill appears coherent for its stated purpose, but review these before installing or using it: 1) The CLI requires provider API keys and Google/Bing access (OAuth/API keys) — only supply keys for accounts you control. 2) The Quick Start installs an npm package (@ainyc/canonry); verify the package and GitHub repo authenticity and inspect the package code if you can. 3) Features that send data externally (notify webhooks) can leak collected results — only add trusted webhook URLs. 4) CDP usage requires running Chrome with --remote-debugging-port=9222, which exposes a local debugging interface — run that only in a trusted/sandboxed environment. 5) Indexing commands can mass-submit URLs (e.g., --all-unindexed); confirm you want automated indexing actions. If you want higher assurance, review the upstream npm/GitHub source for the package and test in an isolated environment before pointing production credentials at it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dsv7443ammp812a87zg3zwn83bxrn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments