Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Seo
v1.0.0Search engine optimization for startups and products. Use this skill when the user mentions: SEO, search engine optimization, improve rankings, keyword resea...
⭐ 0· 39·0 current·0 all-time
byEmerson Braun@emersonbraun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The name, description, and SKILL.md all align: this is an SEO audit/implementation guide focused on technical and on-page developer tasks (meta tags, sitemap, robots, Core Web Vitals, schema, Next.js snippets). It requests no binaries, env vars, or installs — which is proportionate for an instruction-only SEO skill.
Instruction Scope
Most instructions stay on-topic (checks for robots.txt, sitemap, canonical tags, Core Web Vitals tools, schema examples, Next.js code). However the Output Format section instructs the agent to provide the 'Full source of all included files' and to 'Review these carefully for malicious behavior, hidden endpoints, data exfiltration...' — this is open-ended and may encourage the agent (or the user interacting with the agent) to collect and transmit entire site repositories or configuration files. An SEO audit rarely requires full source dumps or secrets; requesting the entire codebase or config files is disproportionate and increases the risk of accidental exposure of credentials or sensitive data.
Install Mechanism
No install spec and no code files to execute. Instruction-only skills that don't download or install artifacts pose minimal installation risk.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. The guide references external services (PageSpeed Insights, WebPageTest, Google Search Console, analytics) that may require user-provided access or exports; asking for read-only reports or screenshots is proportionate, but the SKILL.md does not constrain how access should be provided. The earlier 'full source' instruction is the main proportionality concern because it could result in sharing secrets or private configs unnecessarily.
Persistence & Privilege
The skill is not always-enabled, does not request persistent system presence, and has no install scripts. It does not modify other skills or agent-wide settings in the provided content.
What to consider before installing
This skill is a normal SEO advisor and appears technically coherent, but be careful about what you share when using it. Do not upload or paste your entire repository, .env files, private keys, or database/config backups. For an audit, prefer giving: (a) individual public URLs to check, (b) exported PageSpeed/Search Console/Analytics reports or screenshots, (c) specific snippets (robots.txt, sitemap.xml, sample page HTML, and the Next.js metadata/sitemap/robots files) rather than full source. If the agent asks for Search Console or analytics access, provide read-only access or share exports instead of full admin credentials. If you need to have the skill examine code, redact secrets and limit scope to the minimal files needed for the check. Consider running the audit locally and sharing only the findings rather than full source.Like a lobster shell, security has layers — review code before you run it.
latestvk971qsp2w13256m39cykngeq9184cj63
License
MIT-0
Free to use, modify, and redistribute. No attribution required.