ClawHub
Back to skill
v1.0.0

Indexnow Pro

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:08 AM.

Analysis

The skill mostly matches its SEO indexing purpose, but one included example would send a Baidu token over plain HTTP, so it should be reviewed before use.

GuidanceUse this only for sites you own. Review any batch URL list before submission, avoid placing real passwords or tokens in shell history, and do not copy the Baidu HTTP token example with a real token unless you have verified a secure official method.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
`ping-batch` | Submit multiple URLs at once (up to 10,000)

The skill supports large batch submissions to search engines, which is expected for an IndexNow tool but can affect how many pages are submitted for crawling.

User impactA user or agent could submit many URLs for indexing at once, which may affect SEO/crawl behavior.
RecommendationUse batch and sitemap commands only for websites you own and review the URL list before submitting.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
script.sh
curl -X POST "https://yoursite.com/wp-json/wp/v2/pages" \
  -u "user:password"

The WordPress setup example uses site credentials and publishes content to host the IndexNow key; this is purpose-aligned but uses account authority.

User impactIf copied, the command can create public website content using a WordPress account.
RecommendationUse a least-privileged account, confirm the target site, and avoid exposing passwords in shared terminals or logs.
Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
script.sh
curl -X POST "http://data.zz.baidu.com/urls?site=yoursite.com&token=YOUR_TOKEN"

The Baidu alternative places an access token in a plain HTTP URL, which can expose the token to network observers or logs if used with a real token.

User impactA real Baidu token could be leaked and used to submit URLs for the user’s site.
RecommendationDo not use real tokens over plain HTTP; prefer an official HTTPS endpoint or a safer authenticated method, and keep tokens out of command histories and logs.