site analyzing tools
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its site-analysis purpose, but its first-run network probe unsafely inserts external HTTP response data into local Python code execution.
Install only if you are comfortable with active network probing and third-party lookup services. Before use, the maintainer should fix the environment probe so external response fields are safely encoded instead of embedded into python -c code, and users should review the saved ~/.site-analyzer-env.json file.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised network path or provider response could potentially make the first-run probe run unintended code on the user's machine.
The script fetches geolocation data over HTTP and interpolates returned fields directly into a Python code string without JSON/shell escaping. A malicious or altered response containing quotes or code-like text could cause unintended local Python execution during the probe.
IP_INFO=$(curl -s --max-time 5 "http://ip-api.com/json/${MY_IP}" ...)
...
python3 -c "
import json
data = {
'my_ip': '$MY_IP',
'country': '$COUNTRY',
'city': '$CITY',
'isp': '$ISP',Build the JSON with safe data passing, such as environment variables plus json.dumps, a here-document that reads stdin, or jq/python parsing without embedding untrusted strings into executable code; prefer HTTPS geolocation APIs.
Using the skill may reveal the queried domain/IP, route hops, and the user's network vantage point to external services and to the target site.
The skill is designed to run network diagnostic tools and make external DNS, traceroute, ping, WHOIS, robots.txt, and IP-geolocation requests. This matches the stated purpose, but users should know it actively probes targets and uses third-party lookup services.
01_dig.py ... DNS 查询 ... DoH 回退 ... 03_traceroute.py ... 05_ping.py ... 06_robots.py ... robots.txt
Use it only for domains/IPs you are allowed to test, and avoid analyzing sensitive internal hosts unless you are comfortable sending related network data to the listed services.
Anyone or any process with access to the user's home directory could read the saved network baseline.
The environment probe stores a persistent local baseline containing the user's public IP, approximate location, ISP, DNS settings, and tool availability. This is disclosed in SKILL.md and useful for comparison, but it is persistent local network metadata.
ENV_FILE="$HOME/.site-analyzer-env.json" ... " | tee "$ENV_FILE"
Review or delete ~/.site-analyzer-env.json if you do not want this baseline retained; the skill should document retention and cleanup clearly.
Target websites may log the request as a Googlebot-like crawler request rather than a normal site-analysis tool request.
The robots.txt fetcher uses a Googlebot-like User-Agent. The sub-skill documentation discloses this, and it is limited to robots.txt analysis, but it can make the request appear to the target site as if it came from Googlebot-compatible tooling.
HEADERS = {
"User-Agent": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
}Prefer a truthful User-Agent identifying this tool, or make crawler impersonation an explicit user-selected option.