Back to skill
Skillv1.0.0
ClawScan security
pSEO Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 9:18 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only blueprint for building programmatic SEO pipelines; its requirements and instructions are internally consistent and proportional to that purpose.
- Guidance
- This skill is a high-quality, instruction-only blueprint (no code or installers). It's safe from a manifest perspective, but it is not a ready-to-run package — referenced files (schema and niche examples) are not bundled and you'll need to implement generation, validation, and renderers yourself. Before using: (1) ensure you have legitimate access and quota for whichever LLM you will call (the guide recommends Gemini Flash) and understand costs and privacy implications of sending data to that model, (2) confirm you supply any required API keys separately and do not expose sensitive data to the model, (3) review SEO and legal risks of large-scale autogenerated pages (indexing, duplicate content, and policy compliance), and (4) expect to build validation and rate-limiting around the described parallel generation to avoid accidental overuse of model/quota.
Review Dimensions
- Purpose & Capability
- okThe name/description (programmatic SEO via strict JSON schemas and React renderers) matches the SKILL.md content: taxonomy design, schema-first generation, validation, and renderers. There are no unrelated environment variables, binaries, or install steps requested that would be surprising for this task.
- Instruction Scope
- noteRuntime instructions stay within the stated purpose (design niches, define TypeScript schemas, generate JSON via an LLM, validate, and render). The doc references local files (references/niche-taxonomy.md, references/schema-library.md) that are not bundled with the skill — this is an implementation gap (not a security alarm) and means the skill as-distributed is a blueprint rather than a runnable package. It also recommends using an external model (Gemini Flash) and high parallelism, which implies you must provide model access/keys and manage API cost/quotas outside the skill.
- Install Mechanism
- okThere is no install specification and no code files — instruction-only skills present the least disk/execution risk. Nothing is downloaded or written by an install step.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The content describes calling an LLM (Gemini Flash) but does not ask for unrelated secrets or credentials in the skill manifest — this is proportionate. Note: to actually run the described pipeline you will need model API access and any relevant service credentials, but those are not requested by this skill itself.
- Persistence & Privilege
- okalways is false and the skill is user-invocable with normal autonomous invocation allowed. It does not request permanent agent presence or ask to modify other skills or system-wide config.