ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SEO Audit Bot

v1.0.0

Perform a comprehensive SEO audit of any website. Analyzes technical SEO, on-page factors, content quality, performance, and generates an actionable report w...

0· 49·0 current·0 all-time
by@eyensama
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name, description, SKILL.md, README, and scripts all align with an SEO auditing purpose. However, the package metadata claims no required binaries while README and scripts clearly rely on web_fetch/exec and on-system tools (curl, grep, sed, wc). This is a minor incoherence: the tool genuinely needs HTTP-fetching and basic Unix text utilities, but they are not declared in the registry metadata.
Instruction Scope
SKILL.md instructs fetching the target URL, robots.txt, sitemap and analyzing HTML — all appropriate for SEO. The included script performs these fetches and writes temporary files to /tmp. A security-relevant behavior: the skill will fetch arbitrary URLs supplied by the user (including intranet/private IPs), which is expected for this purpose but introduces SSRF-like risks if run in an environment with access to internal services. The instructions do not attempt to read unrelated local files or exfiltrate data to external endpoints.
Install Mechanism
There is no install spec (instruction-only with an included helper script). Nothing downloads or extracts remote archives; the code consists of plain files and a shell script. No high-risk install mechanisms are present.
Credentials
The skill declares no environment variables or credentials and does not request broad secrets. The runtime behavior uses network fetches only, which is proportionate to the stated purpose. The only resource access is writing temporary files under /tmp for analysis (normal for a shell helper).
Persistence & Privilege
The skill is not marked always:true and does not request permanent agent-wide privileges. It does not modify other skills or system-wide configurations. Autonomous invocation is allowed by default but not combined with other concerning factors.
Assessment
This skill appears to do what it says: fetch a URL and analyze HTML for SEO signals. Before installing or running it, note: (1) the README/script expect HTTP fetch capabilities (web_fetch or curl) and typical Unix text tools (curl, grep, sed, wc) even though the registry metadata doesn't list them — ensure your runtime provides them; (2) the skill will fetch any user-supplied URL, so in environments that can reach internal network services this can be used to access intranet endpoints (SSRF risk) — restrict allowed domains or run in an isolated environment if that matters; (3) review the included scripts (scripts/audit.sh) before execution — they write temporary files to /tmp and use standard command-line parsing (no obfuscation), which appears benign. If you need stronger guarantees, run the skill in a sandboxed agent or review/modify the script to enforce allowed hostnames.

Like a lobster shell, security has layers — review code before you run it.

latestvk978eg3ymg16z1wy9rzft0sbb983r16g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments