Indexnow Pro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The visible artifacts describe a straightforward SEO helper, with expected user-directed submissions of site URLs and optional use of website/search-console credentials.
This appears safe for its stated purpose if you use it deliberately: only submit URLs for sites you own, review any sitemap-derived URL list, use least-privilege credentials, and remember that submitted URLs and keys are sent to external search/indexing providers. The provided script display was truncated, so review the untruncated source before executing script.sh directly.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with the wrong sitemap or domain, many URLs could be sent to search engines for crawling/indexing.
The skill supports bulk external API actions that can notify search engines about many pages. This is disclosed and aligned with the SEO purpose, but users should review the URL scope before using it.
`ping-batch` | Submit multiple URLs at once (up to 10,000) ... `ping-sitemap` | Extract URLs from sitemap.xml and submit all
Use it only for websites you own, inspect generated URL lists, and test with a small batch before running bulk submissions.
Copying the example with real credentials could expose them in shell history or publish an unintended page on the site.
The setup guidance includes an example that uses website credentials and publishes content through the WordPress REST API. This is purpose-aligned for hosting the IndexNow key, but it touches account privileges.
curl -X POST "https://yoursite.com/wp-json/wp/v2/pages" \
-u "user:password" \
-d "title=${KEY}&content=${KEY}&slug=${KEY}&status=publish"Use least-privilege application passwords or tokens, avoid entering real passwords in shared terminals/logs, and confirm the published key page is intended.
Users may not see all practical tool requirements from registry metadata alone.
The registry metadata declares no required binaries and no install spec, while the skill text notes external tools are needed for API calls. This is a metadata completeness issue rather than hidden installation behavior.
## Requirements - A website you own - An IndexNow key file hosted at your domain root - curl or Node.js for API calls
Review the SKILL.md requirements and ensure you trust and understand any local tools or commands before running the examples.