aeo-system
PassAudited by ClawScan on May 1, 2026.
Overview
This marketing/analytics skill is coherent and disclosed, but it uses third-party AI APIs, API keys, local report files, and public brand-data templates that users should configure carefully.
This appears safe to install for its stated AEO purpose. Before running it, use scoped API keys, expect data to be sent to Perplexity/OpenAI, run scripts only in a controlled working directory, and review any generated public brand facts or Answer Hub content for accuracy and disclosure.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Perplexity/OpenAI API accounts may be billed or rate-limited, and the questions you run are sent to those providers.
The skill uses provider API keys to query third-party AI services. This is disclosed and purpose-aligned, but users should understand that their API credentials and query content are used with those providers.
requiredEnv:\n - PERPLEXITY_API_KEY # Required for Answer Intent Map automation\n - OPENAI_API_KEY # Optional — enables ChatGPT query automation
Use dedicated API keys with appropriate limits, avoid putting confidential business data in prompts unless intended, and rotate keys if they are exposed.
Running the script can make multiple external API calls and create local output files in the configured working directory.
The included Node.js script performs network API calls and uses filesystem access. These capabilities are expected for collecting AI recommendation data and writing reports, but they are still meaningful local/remote tool use.
hostname: 'api.perplexity.ai' ... hostname: 'api.openai.com' ... const fs = require('fs');Run it from a project directory you control, review the generated queries/configuration first, and monitor API usage or costs.
A user relying only on registry metadata may not realize the automation requires Node.js and provider API keys.
The registry metadata under-declares runtime needs that SKILL.md describes, including Node.js and API keys. The mismatch is disclosed in the skill text, so it is a setup clarity issue rather than evidence of hidden execution.
Required binaries (all must exist): none ... Required env vars: none
Before installing or running, confirm Node.js is available and set only the API keys you intend the skill to use.
Published brand facts, pricing, support contacts, certifications, and product claims may be reused by AI systems and seen publicly.
The skill provides a persistent public machine-readable brand facts file intended for AI crawler retrieval. That is core to the AEO purpose, but it can expose business details and influence downstream AI answers if inaccurate or overly promotional.
"_instructions": "This file lives at /.well-known/brand-facts.json — the standard location AI crawlers check for brand data."
Publish only verified public information, remove placeholders/internal notes, keep disclosures accurate, and review the file whenever facts change.
If the user separately schedules it, the skill could repeatedly query AI providers and update tracking outputs.
The skill contemplates recurring maintenance. The artifacts do not install a cron job or show hidden background behavior, but recurring automation should be explicitly user-approved.
Trigger: "Run weekly AEO maintenance" or scheduled cron
Only schedule recurring runs intentionally, document where the schedule is configured, and set API usage limits.